MarkMaunder dot com

A secure rewrite of timthumb.php as WordThumb

August 4, 2011 | mark | Security, TimThumb, Wordpress

Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Read this now.

Update 3 (Final): WordThumb has now been merged into TimThumb and has become TimThumb 2.0. Please head over to the TimThumb site now for updates and to get the code.

Update 2: WordThumb can now take screenshots of websites for you and turn them into thumbnails.

Update 1: Two minor bugs fixed and new minor version released. Thanks guys! You can post bugs directly on this page if you find any more.

I’ve done a full top to bottom rewrite of timthumb and forked the project as WordThumb. You can find it on Google Code with basic instructions on how to use it. Please report any bugs to me at mmaunder at gmail as soon as you can. The code is tested on Ubuntu Linux under Apache and works great.

The only code that is still original timthumb code is the image processing routines. Everything else has been rewritten from scratch. Here are the changes:

  • Code is now object oriented PHP and is much more manageable and readable. It will still run just about anywhere.
  • Fully backwards compatible with all timthumb’s options.
  • Uses a non-web accessible directory as cache for security. By default it uses the system temporary directory. There is a config option to override this.
  • All cached files have a .txt extension as an extra precaution.
  • Cache cleaning has been rewritten to be faster and only run once a day (user configurable) with no contention between processes.
  • ALLOW_EXTERNAL now works as expected. If disabled, you can’t load external files.
  • mime type checking is improved. Previously files would be written to a web accessible cache before the mime check step. Now the furthest a non-image will get is a temporary file which fails a mime check and is deleted.
  • Previously, the check_cache function created a directory with 777 permissions. That’s removed and we simply use the system temporary directory for everything cache related now.
  • Writing images uses file locking now to avoid two processes writing to the same image file and corrupting it.
  • We now use temporary files when fetching remote images rather than using the same filename we’re turning into a thumbnail. This avoids another process on a busy server thinking a file is a cached thumbnail and serving an unprocessed image accidentally.
  • Fixed browser headers like accept-ranges.
  • Improved error reporting.
  • Added debug mode with tons of debug messages.
  • Debug messages include benchmarking to see where slowdowns occur if any. (It’s very fast!)
  • Cleaned up conflicting curl options like CURLOPT_FILE
  • Added ability to disable browser caching for debugging
  • Added clarity on curl timeout (many sites use php’s default fetching which doesn’t have a timeout)

Leave a Comment

Your email address will not be published. Required fields are marked *

My name is Mark Maunder. I've been blogging since around 2003 when I started on Movable Type and ended up on WordPress which is what I use to publish today. With my wife Kerry, I'm the co-founder of Wordfence which protects over 5 million WordPress sites from hackers and is run by a talented team of 36 people. I'm an instrument rated pilot and I fly a Cessna 206 along with a 1964 Cessna 172 in the Pacific Northwest and Colorado. I'm originally from Cape Town, South Africa but live in the US these days. I code in a bunch of languages and am quite excited about our emerging AI overlords and how they're going to be putting us to work for them.