From 545a7bbbf07dd2375a96eae09f9abd6329a919e5 Mon Sep 17 00:00:00 2001
From: Simon McVittie <smcv@debian.org>
Date: Wed, 4 May 2016 08:54:19 +0100
Subject: img: restrict to JPEG, PNG and GIF images by default

This mitigates CVE-2016-3714. Wiki administrators who know that they
have prevented arbitrary code execution via other formats can re-enable
the other formats if desired.
---
 IkiWiki/Plugin/img.pm | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

(limited to 'IkiWiki')

diff --git a/IkiWiki/Plugin/img.pm b/IkiWiki/Plugin/img.pm
index a63e27dd6..53d963425 100644
--- a/IkiWiki/Plugin/img.pm
+++ b/IkiWiki/Plugin/img.pm
@@ -21,6 +21,28 @@ sub getsetup () {
 			rebuild => undef,
 			section => "widget",
 		},
+		img_allowed_formats => {
+			type => "string",
+			default => [qw(jpeg png gif)],
+			description => "Image formats to process (jpeg, png, gif, pdf, svg or 'everything' to accept all)",
+			# ImageMagick has had arbitrary code execution flaws,
+			# and the whole delegates mechanism is scary from
+			# that perspective
+			safe => 0,
+			rebuild => 0,
+		},
+}
+
+sub allowed {
+	my $format = shift;
+	my $allowed = $config{img_allowed_formats};
+	$allowed = ['jpeg', 'png'] unless defined $allowed && @$allowed;
+
+	foreach my $a (@$allowed) {
+		return 1 if $a eq $format || $a eq 'everything';
+	}
+
+	return 0;
 }
 
 sub preprocess (@) {
@@ -97,6 +119,8 @@ sub preprocess (@) {
 		$format = '';
 	}
 
+	error sprintf(gettext("%s image processing disabled in img_allowed_formats configuration"), $format ? $format : "\"$extension\"") unless allowed($format ? $format : "everything");
+
 	my $issvg = $base=~s/\.svg$/.png/i;
 	my $ispdf = $base=~s/\.pdf$/.png/i;
 	my $pagenumber = exists($params{pagenumber}) ? int($params{pagenumber}) : 0;
-- 
cgit v1.2.3