From: Simon McVittie Date: Wed, 4 May 2016 07:52:40 +0000 (+0100) Subject: img: force common Web formats to be interpreted according to extension X-Git-Tag: debian/3.20141016.3~15 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/a42468aa22cf096f7ff3667affb160528f5dacde?hp=3a72fd87c7214a508b67ac8dc3567a427240c9c8 img: force common Web formats to be interpreted according to extension A site administrator might unwisely set allowed_attachments to something like '*.jpg or *.png'; if they do, an attacker could attach, for example, a SVG file named attachment.jpg. This mitigates CVE-2016-3714. --- diff --git a/IkiWiki/Plugin/img.pm b/IkiWiki/Plugin/img.pm index 169f5e713..a63e27dd6 100644 --- a/IkiWiki/Plugin/img.pm +++ b/IkiWiki/Plugin/img.pm @@ -64,6 +64,39 @@ sub preprocess (@) { my $dir = $params{page}; my $base = IkiWiki::basename($file); + my $extension; + my $format; + + if ($base =~ m/\.([a-z0-9]+)$/) { + $extension = $1; + } + else { + error gettext("Unable to detect image type from extension"); + } + + # Never interpret well-known file extensions as any other format, + # in case the wiki configuration unwisely allows attaching + # arbitrary files named *.jpg, etc. + if ($extension =~ m/^(jpeg|jpg)$/is) { + $format = 'jpeg'; + } + elsif ($extension =~ m/^(png)$/is) { + $format = 'png'; + } + elsif ($extension =~ m/^(gif)$/is) { + $format = 'gif'; + } + elsif ($extension =~ m/^(svg)$/is) { + $format = 'svg'; + } + elsif ($extension =~ m/^(pdf)$/is) { + $format = 'pdf'; + } + else { + # allow ImageMagick to auto-detect (potentially dangerous) + $format = ''; + } + my $issvg = $base=~s/\.svg$/.png/i; my $ispdf = $base=~s/\.pdf$/.png/i; my $pagenumber = exists($params{pagenumber}) ? int($params{pagenumber}) : 0; @@ -76,7 +109,7 @@ sub preprocess (@) { my $im = Image::Magick->new(); my $imglink; my $imgdatalink; - my $r = $im->Read(":$srcfile\[$pagenumber]"); + my $r = $im->Read("$format:$srcfile\[$pagenumber]"); error sprintf(gettext("failed to read %s: %s"), $file, $r) if $r; if (! defined $im->Get("width") || ! defined $im->Get("height")) {