ctrbts/secure-timthumb
最新稳定版本:v3.0.0
Composer 安装命令:
composer require ctrbts/secure-timthumb
包简介
A secure, modern, drop-in replacement for the legacy TimThumb PHP script.
README 文档
README
A secure, modern rewrite of the timthumb.php script. This project aims to provide a drop-in replacement for legacy systems that still rely on TimThumb, mitigating the critical RCE and file inclusion vulnerabilities present in the original version.
⚠️ WARNING: This library is intended for legacy maintenance. For new projects, maybe you prefer a modern solutions like Intervention Image or cloud-based services.
Key Security Improvements
- Strict MIME Type Checking: Uses finfo to validate magic bytes. Malicious files renamed to
.jpgwill be rejected. - No Webshots: The vulnerable
exec()based website screenshot feature has been removed entirely. - External Sites Disabled by Default: Must be explicitly enabled via config.
- SSRF Protection: cURL is restricted to HTTP/HTTPS protocols only to prevent internal network scanning.
- Cache Execution Prevention: Automatically generates an
.htaccessin the cache directory to prevent PHP execution.
Installation
Option A:
Composer (Recommended)
composer require ctrbts/secure-timthumb
Option B:
Drop-in Replacement (Manual)
- Download
TimThumb.phpfrom this repository. - Replace your existing
timthumb.phpfile. - Ensure the cache directory exists and is writable by the web server.
Configuration
You can configure the script by instantiating the class with an array of options (if using as a library) or by editing the default config array at the top of the TimThumb.php file (if using as a standalone script).
// Example Configuration $config = [ 'allow_external' => true, 'allowed_sites' => ['flickr.com', 'staticflickr.com'], 'max_file_size' => 5242880, // 5MB ];
Attribution & Transparency
Maintainer: Fernando Merlo Original Authors: Ben Gillbanks & Mark Maunder
Refactor Note: This codebase was refactored with the assistance of AI tools to analyze historical security flaws and implement modern PHP security standards (PSR, Strict Types, Exception Handling).
Disclaimer: This software is provided "as is", without warranty of any kind. Use at your own risk.
统计信息
- 总下载量: 2
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 0
- 点击次数: 2
- 依赖项目数: 0
- 推荐数: 0
其他信息
- 授权协议: MIT
- 更新时间: 2025-11-29