From 170cd41489ab25fc3b7a95dd31521dfe522b4f9e Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Thu, 5 May 2016 23:17:45 +0100 Subject: img: check magic number before giving common formats to ImageMagick This mitigates CVE-2016-3714 and similar vulnerabilities by avoiding passing obviously-wrong input to ImageMagick decoders. --- IkiWiki/Plugin/img.pm | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) (limited to 'IkiWiki') diff --git a/IkiWiki/Plugin/img.pm b/IkiWiki/Plugin/img.pm index 53d963425..ed2e9354d 100644 --- a/IkiWiki/Plugin/img.pm +++ b/IkiWiki/Plugin/img.pm @@ -99,20 +99,29 @@ sub preprocess (@) { # Never interpret well-known file extensions as any other format, # in case the wiki configuration unwisely allows attaching # arbitrary files named *.jpg, etc. + my $magic; + my $offset = 0; + open(my $in, '<', $srcfile) or error sprintf(gettext("failed to read %s: %s"), $file, $!); + binmode($in); + if ($extension =~ m/^(jpeg|jpg)$/is) { $format = 'jpeg'; + $magic = "\377\330\377"; } elsif ($extension =~ m/^(png)$/is) { $format = 'png'; + $magic = "\211PNG\r\n\032\n"; } elsif ($extension =~ m/^(gif)$/is) { $format = 'gif'; + $magic = "GIF8"; } elsif ($extension =~ m/^(svg)$/is) { $format = 'svg'; } elsif ($extension =~ m/^(pdf)$/is) { $format = 'pdf'; + $magic = "%PDF-"; } else { # allow ImageMagick to auto-detect (potentially dangerous) @@ -121,6 +130,25 @@ sub preprocess (@) { error sprintf(gettext("%s image processing disabled in img_allowed_formats configuration"), $format ? $format : "\"$extension\"") unless allowed($format ? $format : "everything"); + # Try harder to protect ImageMagick from itself + if ($format eq 'svg') { + my $content; + read($in, $content, 5) or error sprintf(gettext("failed to read %s: %s"), $file, $!); + # This is an over-simplification, but ?xml is the check that + # ImageMagick uses. We also accept