Okay, it looks like we're actually already covered on this. I wrote up a quick 6-line patch for this that tries to sniff the magic number for a BMP file before running it through ImageMagick (for a BMP file, the magic number is that the first two bytes of the file will be the ASCII for "BM"). But I couldn't get any of my ersatz BMP files to trigger the code. So I took a closer look at how do file detection in Mahara, and it turns out we have a parallel process for detecting image mimetypes!
When a file is first uploaded, we run it through the Mahara function "is_image_file($path)", which checks the PHP core methods exif_imagetype() and getimagesize(), to determine whether it's a valid image file. If so, then we ignore the "file_mime_type()" function that we otherwise use for detecting mimetypes. And again in the resizing method, we check getimagesize() (from the GD) extension to get the file's mimetype, before attempting to resize it. So a malicious BMP file would need to be able to bypass getimagesize() and possibly exif_imagetype() in order to hit ImageMagick. exif_imagetype() is part of the Exif extension, which is not listed as an optional library in the Mahara readme (it probably should be), but it ships with PHP on Debian and Ubuntu. getimagesize() comes from GD, which is a listed requirement for Mahara. The docs page for getimagesize() does say "Do not use getimagesize() to check that a given file is a valid image. Use a purpose-built solution such as the Fileinfo extension instead." So in the long run it might be better to swap something else in there. http://php.net/getimagesize ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1577992 Title: Mitigate "ImageTragick" vulnerability in our usage of ImageMagick Status in Mahara: Invalid Bug description: A recent vulnerability in the ImageMagick library has been announced: https://imagetragick.com/ Mahara currently lists the PHP imagick extension as an optional library. If supplied, it is used when we need to do a server-side resize of a BMP file. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1577992/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
