From 545a7bbbf07dd2375a96eae09f9abd6329a919e5 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 4 May 2016 08:54:19 +0100 Subject: img: restrict to JPEG, PNG and GIF images by default This mitigates CVE-2016-3714. Wiki administrators who know that they have prevented arbitrary code execution via other formats can re-enable the other formats if desired. --- IkiWiki/Plugin/img.pm | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'IkiWiki') diff --git a/IkiWiki/Plugin/img.pm b/IkiWiki/Plugin/img.pm index a63e27dd6..53d963425 100644 --- a/IkiWiki/Plugin/img.pm +++ b/IkiWiki/Plugin/img.pm @@ -21,6 +21,28 @@ sub getsetup () { rebuild => undef, section => "widget", }, + img_allowed_formats => { + type => "string", + default => [qw(jpeg png gif)], + description => "Image formats to process (jpeg, png, gif, pdf, svg or 'everything' to accept all)", + # ImageMagick has had arbitrary code execution flaws, + # and the whole delegates mechanism is scary from + # that perspective + safe => 0, + rebuild => 0, + }, +} + +sub allowed { + my $format = shift; + my $allowed = $config{img_allowed_formats}; + $allowed = ['jpeg', 'png'] unless defined $allowed && @$allowed; + + foreach my $a (@$allowed) { + return 1 if $a eq $format || $a eq 'everything'; + } + + return 0; } sub preprocess (@) { @@ -97,6 +119,8 @@ sub preprocess (@) { $format = ''; } + error sprintf(gettext("%s image processing disabled in img_allowed_formats configuration"), $format ? $format : "\"$extension\"") unless allowed($format ? $format : "everything"); + my $issvg = $base=~s/\.svg$/.png/i; my $ispdf = $base=~s/\.pdf$/.png/i; my $pagenumber = exists($params{pagenumber}) ? int($params{pagenumber}) : 0; -- cgit v1.2.3