dustout · dustout · May 24, 2025 · May 24, 2025
diff --git a/CommonImageActions.AspNetCore/CommonImageActionSettings.cs b/CommonImageActions.AspNetCore/CommonImageActionSettings.cs
@@ -40,6 +40,10 @@ public string PathToWatch
 
         public static string DefaultDiskCacheLocation { get; set; }
 
+        public static int MaxUrlWidth { get; set; } = 5000;
+
+        public static int MaxUrlHeight { get; set; } = 5000;
+
         public static string[] ValidImageExtensions = {
             ".bmp",
             ".gif",

diff --git a/CommonImageActions.AspNetCore/CommonImageActionsMiddleware.cs b/CommonImageActions.AspNetCore/CommonImageActionsMiddleware.cs
@@ -281,13 +281,21 @@ public static ImageActions ConvertQueryStringToImageActions(string queryString,
             var widthString = query["width"] ?? query["w"];
             if (int.TryParse(widthString, out int width))
             {
-                imageActions.Width = width;
+                //sanity check to make sure no bad actor requests a number that may eat all the ram in the system
+                if(width < CommonImageActionSettings.MaxUrlWidth)
+                {
+                    imageActions.Width = width;
+                }
             }
 
             var heightString = query["height"] ?? query["h"];
             if (int.TryParse(heightString, out int height))
             {
-                imageActions.Height = height;
+                //sanity check to make sure no bad actor requests a number that may eat all the ram in the system
+                if (width < CommonImageActionSettings.MaxUrlHeight)
+                {
+                    imageActions.Height = height;
+                }
             }
 
             var pageString = query["Page"] ?? query["p"];