aboutsummaryrefslogtreecommitdiff
path: root/IkiWiki/Plugin
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2016-05-04 08:52:40 +0100
committerSimon McVittie <smcv@debian.org>2016-05-05 23:43:50 +0100
commit54a9f8d07de3bf853a74c34ca98bcb3ec9bc8ac7 (patch)
tree238e380782fd1f15f4ef0ee408e6c934a80ae08e /IkiWiki/Plugin
parent32ef584dc5abb6ddb9f794f94ea0b2934967bba7 (diff)
downloadikiwiki-54a9f8d07de3bf853a74c34ca98bcb3ec9bc8ac7.tar
ikiwiki-54a9f8d07de3bf853a74c34ca98bcb3ec9bc8ac7.tar.gz
img: force common Web formats to be interpreted according to extension
A site administrator might unwisely set allowed_attachments to something like '*.jpg or *.png'; if they do, an attacker could attach, for example, a SVG file named attachment.jpg. This mitigates CVE-2016-3714.
Diffstat (limited to 'IkiWiki/Plugin')
-rw-r--r--IkiWiki/Plugin/img.pm35
1 files changed, 34 insertions, 1 deletions
diff --git a/IkiWiki/Plugin/img.pm b/IkiWiki/Plugin/img.pm
index 169f5e713..a63e27dd6 100644
--- a/IkiWiki/Plugin/img.pm
+++ b/IkiWiki/Plugin/img.pm
@@ -64,6 +64,39 @@ sub preprocess (@) {
my $dir = $params{page};
my $base = IkiWiki::basename($file);
+ my $extension;
+ my $format;
+
+ if ($base =~ m/\.([a-z0-9]+)$/) {
+ $extension = $1;
+ }
+ else {
+ error gettext("Unable to detect image type from extension");
+ }
+
+ # Never interpret well-known file extensions as any other format,
+ # in case the wiki configuration unwisely allows attaching
+ # arbitrary files named *.jpg, etc.
+ if ($extension =~ m/^(jpeg|jpg)$/is) {
+ $format = 'jpeg';
+ }
+ elsif ($extension =~ m/^(png)$/is) {
+ $format = 'png';
+ }
+ elsif ($extension =~ m/^(gif)$/is) {
+ $format = 'gif';
+ }
+ elsif ($extension =~ m/^(svg)$/is) {
+ $format = 'svg';
+ }
+ elsif ($extension =~ m/^(pdf)$/is) {
+ $format = 'pdf';
+ }
+ else {
+ # allow ImageMagick to auto-detect (potentially dangerous)
+ $format = '';
+ }
+
my $issvg = $base=~s/\.svg$/.png/i;
my $ispdf = $base=~s/\.pdf$/.png/i;
my $pagenumber = exists($params{pagenumber}) ? int($params{pagenumber}) : 0;
@@ -76,7 +109,7 @@ sub preprocess (@) {
my $im = Image::Magick->new();
my $imglink;
my $imgdatalink;
- my $r = $im->Read(":$srcfile\[$pagenumber]");
+ my $r = $im->Read("$format:$srcfile\[$pagenumber]");
error sprintf(gettext("failed to read %s: %s"), $file, $r) if $r;
if (! defined $im->Get("width") || ! defined $im->Get("height")) {