A secure, slimmed down version of the ol' standby TimThumb.
Like many WordPress developers we've been making use of the old TimThumb script for years. It works well and offers features not yet available in other projects, like BFI_Thumb (although that does look like a promising start). However, we've still got a lot of sites that we are supporting that require some of TimThumb's more advanced features like crop positioning and filters.
So we decided to create a leaner, meaner, MUCH MORE SECURE fork of TimThumb. To that end we've foregone full backward compatibility with the old TimThumb code. Here are the major changes:
- Removed the WebShots features entirely
- Removed the PHP Memory settings entirely
- Disabled all remote/external sites by default
- Removed option to allow all remote sites
- Changed cache folder to use system cache by default
- Increased default caching time and time between cleans
- Increased default allowed file size and dimensions
- Enabled PNG compression by default
- Enabled PNG transparency by default
- Removed error output that revealed script versions and error images
- Tilde support in URLs (for user home directories was added)
- Code cleanup and PHP docblock comments
- Added check to ensure class was defined before calling start method
You can help out by testing this and reporting bugs. We ARE NOT interested in preserving 100% compatibility with all of TimThumb's less frequently used features as mentioned above but we ARE VERY motivated to make sure this code is secure. So any security issues will be dealt with immediately.
Pull requests are most welcome. Cheers.
stands for | values | What it does | |
---|---|---|---|
src | source | url to image | Tells mThumb which image to resize › mThumb basic properties tutorial |
w | width | the width to resize to | Remove the width to scale proportionally (will then need the height) › mThumb width tutorial |
h | height | the height to resize to | Remove the height to scale proportionally (will then need the width) › mThumb height tutorial |
q | quality | 0 – 100 | Compression quality. The higher the number the nicer the image will look. I wouldn’t recommend going any higher than about 95 else the image will get too large › mThumb image quality tutorial |
a | alignment | c, t, l, r, b, tl, tr, bl, br | Crop alignment. c = center, t = top, b = bottom, r = right, l = left. The positions can be joined to create diagonal positions › mThumb crop position tutorial |
zc | zoom / crop | 0, 1, 2, 3 | Change the cropping and scaling settings › mThumb crop scaling tutorial |
f | filters | too many to mention | Let’s you apply image filters to change the resized picture. For instance you can change brightness/ contrast or even blur the image › mThumb image filter tutorial |
s | sharpen | Apply a sharpen filter to the image, makes scaled down images look a little crisper › tutorial | |
cc | canvas colour | hexadecimal colour value (#ffffff) | Change background colour. Most used when changing the zoom and crop settings, which in turn can add borders to the image. |
ct | canvas transparency | true (1) | Use transparency and ignore background colour |
You can override certain built in settings in mThumb. by creating a config file called mthumb-config.php and would contain a series of define statements that change default settings.
There are a whole bunch of settings that are not controlled by the normal query string parameters.
constant | values | What it does |
---|---|---|
DEBUG_ON | true/ false | Turn on debug logging to the standard PHP error log |
DEBUG_LEVEL | 1, 2, 3 | Debug level 1 is less noisy and level 3 is the most noisy |
ALLOW_EXTERNAL | true/ false | Allow images from external sites to be resized. Restricted to the images defined in the $allowed_sites array. |
FILE_CACHE_ENABLED | true/ false | Should we cache the files on disk to speed up your website? (hint: the answer is yes, unless you’re testing/ developing things! :)) |
FILE_CACHE_TIME_BETWEEN_CLEANS | 86400 (milliseconds) | mThumb automatically cleans up the cached files. This defines the amount of time between the different the cache cleaning. |
FILE_CACHE_MAX_FILE_AGE | 86400 (milliseconds) | How old should a file be before it’s cleaned? |
FILE_CACHE_SUFFIX | .txt | What to put at the end of all files in the cache directory so we can identify them easily |
FILE_CACHE_PREFIX | mthumb | What to put at the start of the cache files so we can identify them easily |
FILE_CACHE_DIRECTORY | .system temporary directory |
the name of the image cache directory. Left blank it will use the system temporary directory (which is better for security, but is not supported by all web hosts) |
MAX_FILE_SIZE | 10485760 | 10 Megs is 10485760. This is the max internal or external file size that we’ll process |
CURL_TIMEOUT | 20 | Timeout duration for Curl. This only applies if you have Curl installed and aren’t using PHP’s default URL fetching mechanism. |
WAIT_BETWEEN_FETCH_ERRORS | 20 | Time to wait between errors fetching remote file. |
BROWSER_CACHE_MAX_AGE | 864000 | Browser cache duration (to prevent images from being reloaded more than once – the higher the number the better). |
BROWSER_CACHE_DISABLE | true/ false | Use for testing if you want to disable browser caching. |
MAX_WIDTH | 3600 | Put a sensible limit of the width of the resized image (so that crazy large images can’t be created) |
MAX_HEIGHT | 3600 | Put a sensible limit of the height of the resized image (so that crazy large images can’t be created) |
PNG_IS_TRANSPARENT | TRUE | Define if a png image should have a transparent background color. Use False value if you want to display a custom coloured canvas_colour |
- 3.0.1 - Bugfix for unwritable cache folder
- 3.0 - Version number update to calm down some automated scanners that think this is an old version of TimThumb
- 1.0 - First proper release
- 1.0.1 - Micro patch
- 1.0.2 - FogBugz integration