diff options
| author | Simon McVittie <smcv@debian.org> | 2016-05-04 08:54:19 +0100 |
|---|---|---|
| committer | Simon McVittie <smcv@debian.org> | 2016-05-05 23:43:50 +0100 |
| commit | 545a7bbbf07dd2375a96eae09f9abd6329a919e5 (patch) | |
| tree | 87d4952a8d68b4d65a05b4ee6681a088d7cf9519 | |
| parent | 54a9f8d07de3bf853a74c34ca98bcb3ec9bc8ac7 (diff) | |
| download | ikiwiki-545a7bbbf07dd2375a96eae09f9abd6329a919e5.tar ikiwiki-545a7bbbf07dd2375a96eae09f9abd6329a919e5.tar.gz | |
img: restrict to JPEG, PNG and GIF images by default
This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
| -rw-r--r-- | IkiWiki/Plugin/img.pm | 24 | ||||
| -rwxr-xr-x | t/img.t | 46 | ||||
| -rw-r--r-- | t/img/redsquare.jpg | bin | 0 -> 294 bytes |
3 files changed, 65 insertions, 5 deletions
diff --git a/IkiWiki/Plugin/img.pm b/IkiWiki/Plugin/img.pm index a63e27dd6..53d963425 100644 --- a/IkiWiki/Plugin/img.pm +++ b/IkiWiki/Plugin/img.pm @@ -21,6 +21,28 @@ sub getsetup () { rebuild => undef, section => "widget", }, + img_allowed_formats => { + type => "string", + default => [qw(jpeg png gif)], + description => "Image formats to process (jpeg, png, gif, pdf, svg or 'everything' to accept all)", + # ImageMagick has had arbitrary code execution flaws, + # and the whole delegates mechanism is scary from + # that perspective + safe => 0, + rebuild => 0, + }, +} + +sub allowed { + my $format = shift; + my $allowed = $config{img_allowed_formats}; + $allowed = ['jpeg', 'png'] unless defined $allowed && @$allowed; + + foreach my $a (@$allowed) { + return 1 if $a eq $format || $a eq 'everything'; + } + + return 0; } sub preprocess (@) { @@ -97,6 +119,8 @@ sub preprocess (@) { $format = ''; } + error sprintf(gettext("%s image processing disabled in img_allowed_formats configuration"), $format ? $format : "\"$extension\"") unless allowed($format ? $format : "everything"); + my $issvg = $base=~s/\.svg$/.png/i; my $ispdf = $base=~s/\.pdf$/.png/i; my $pagenumber = exists($params{pagenumber}) ? int($params{pagenumber}) : 0; @@ -44,19 +44,26 @@ my $PDFS_WORK = defined $magick->Get("width"); ok(! system("rm -rf t/tmp; mkdir -p t/tmp/in")); ok(! system("cp t/img/redsquare.png t/tmp/in/redsquare.png")); +ok(! system("cp t/img/redsquare.jpg t/tmp/in/redsquare.jpg")); +ok(! system("cp t/img/redsquare.jpg t/tmp/in/redsquare.jpeg")); # colons in filenames are a corner case for img ok(! system("cp t/img/redsquare.png t/tmp/in/hello:world.png")); ok(! system("cp t/img/redsquare.png t/tmp/in/a:b:c.png")); ok(! system("cp t/img/redsquare.png t/tmp/in/a:b:c:d.png")); ok(! system("cp t/img/redsquare.png t/tmp/in/a:b:c:d:e:f:g:h:i:j.png")); -if ($SVGS_WORK) { - writefile("bluesquare.svg", "t/tmp/in", - '<svg width="30" height="30"><rect x="0" y="0" width="30" height="30" fill="blue"/></svg>'); -} +writefile("bluesquare.svg", "t/tmp/in", + '<svg width="30" height="30"><rect x="0" y="0" width="30" height="30" fill="blue"/></svg>'); +ok(! system("cp t/tmp/in/bluesquare.svg t/tmp/in/really-svg.png")); +ok(! system("cp t/tmp/in/bluesquare.svg t/tmp/in/really-svg.bmp")); +ok(! system("cp t/tmp/in/bluesquare.svg t/tmp/in/really-svg.pdf")); # using different image sizes for different pages, so the pagenumber selection can be tested easily ok(! system("cp t/img/twopages.pdf t/tmp/in/twopages.pdf")); +ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.jpeg")); +ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.jpg")); +ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.png")); +ok(! system("cp t/img/twopages.pdf t/tmp/in/really-pdf.svg")); my $maybe_svg_img = ""; if ($SVGS_WORK) { @@ -73,6 +80,8 @@ EOF writefile("imgconversions.mdwn", "t/tmp/in", <<EOF [[!img redsquare.png]] +[[!img redsquare.jpg size=11x]] +[[!img redsquare.jpeg size=12x]] [[!img redsquare.png size=10x]] [[!img redsquare.png size=30x50]] expecting 30x30 [[!img hello:world.png size=x8]] expecting 8x8 @@ -80,11 +89,20 @@ writefile("imgconversions.mdwn", "t/tmp/in", <<EOF [[!img a:b:c:d:e:f:g:h:i:j.png size=x6]] $maybe_svg_img $maybe_pdf_img + +# bad ideas +[[!img really-svg.png size=666x]] +[[!img really-svg.bmp size=666x]] +[[!img really-svg.pdf size=666x]] +[[!img really-pdf.jpeg size=666x]] +[[!img really-pdf.jpg size=666x]] +[[!img really-pdf.png size=666x]] +[[!img really-pdf.svg size=666x]] EOF ); ok(utime(333333333, 333333333, "t/tmp/in/imgconversions.mdwn")); -ok(! system(@command)); +ok(! system(@command, '--set-yaml', 'img_allowed_formats=[jpeg, png, svg, pdf]')); sub size($) { my $filename = shift; @@ -122,6 +140,24 @@ is(size("$outpath/x8-hello:world.png"), "8x8"); is(size("$outpath/x4-a:b:c.png"), "4x4"); is(size("$outpath/x6-a:b:c:d:e:f:g:h:i:j.png"), "6x6"); +is(size("$outpath/11x-redsquare.jpg"), "11x11"); +is(size("$outpath/12x-redsquare.jpeg"), "12x12"); +like($outhtml, qr{src="(\./)?imgconversions/11x-redsquare\.jpg" width="11" height="11"}); +like($outhtml, qr{src="(\./)?imgconversions/12x-redsquare\.jpeg" width="12" height="12"}); + +# We do not misinterpret images +ok(! -e "$outpath/666x-really-svg.png"); +ok(! -e "$outpath/666x-really-svg.bmp"); +ok(! -e "$outpath/666x-really-pdf.jpeg"); +ok(! -e "$outpath/666x-really-pdf.jpg"); +ok(! -e "$outpath/666x-really-pdf.png"); + +# disable support for uncommon formats and try again +ok(! system(@command, "--rebuild")); +ok(! -e "$outpath/10x-bluesquare.png"); +ok(! -e "$outpath/12x-twopages.png"); +ok(! -e "$outpath/16x-p1-twopages.png"); + # now let's remove them again if (1) { # for easier testing diff --git a/t/img/redsquare.jpg b/t/img/redsquare.jpg Binary files differnew file mode 100644 index 000000000..565d7f33b --- /dev/null +++ b/t/img/redsquare.jpg |
