diff options
author | Simon McVittie <smcv@debian.org> | 2016-05-05 23:17:45 +0100 |
---|---|---|
committer | Simon McVittie <smcv@debian.org> | 2016-05-05 23:43:50 +0100 |
commit | 170cd41489ab25fc3b7a95dd31521dfe522b4f9e (patch) | |
tree | a6ce0d308d7304451ec646c3744e24aff7d8853d /t/img.t | |
parent | 545a7bbbf07dd2375a96eae09f9abd6329a919e5 (diff) | |
download | ikiwiki-170cd41489ab25fc3b7a95dd31521dfe522b4f9e.tar ikiwiki-170cd41489ab25fc3b7a95dd31521dfe522b4f9e.tar.gz |
img: check magic number before giving common formats to ImageMagick
This mitigates CVE-2016-3714 and similar vulnerabilities by
avoiding passing obviously-wrong input to ImageMagick decoders.
Diffstat (limited to 't/img.t')
-rwxr-xr-x | t/img.t | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -146,10 +146,15 @@ like($outhtml, qr{src="(\./)?imgconversions/11x-redsquare\.jpg" width="11" heigh like($outhtml, qr{src="(\./)?imgconversions/12x-redsquare\.jpeg" width="12" height="12"}); # We do not misinterpret images +my $quot = qr/(?:"|")/; +like($outhtml, qr/${quot}really-svg\.png${quot} does not seem to be a valid png file/); ok(! -e "$outpath/666x-really-svg.png"); ok(! -e "$outpath/666x-really-svg.bmp"); +like($outhtml, qr/${quot}really-pdf\.jpeg${quot} does not seem to be a valid jpeg file/); ok(! -e "$outpath/666x-really-pdf.jpeg"); +like($outhtml, qr/${quot}really-pdf\.jpg${quot} does not seem to be a valid jpeg file/); ok(! -e "$outpath/666x-really-pdf.jpg"); +like($outhtml, qr/${quot}really-pdf\.png${quot} does not seem to be a valid png file/); ok(! -e "$outpath/666x-really-pdf.png"); # disable support for uncommon formats and try again |