mahara-contributors team mailing list archive

Thread
Date

[Bug 1577992] Re: Mitigate "ImageTragick" vulnerability in our usage of ImageMagick

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1577992@xxxxxxxxxxxxxxxxxx>
Date: Wed, 04 May 2016 01:20:21 -0000
Reply-to: Bug 1577992 <1577992@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

An update on getimagesize(), and how it shouldn't be used for filetype
detection. I created a fake BMP file by making a text file with this
text: "BMHey there I am a fake a BMP file.", and naming it "fake.bmp".
The magic number test for BMP files is that the first two bytes must be
the ASCII "BM", so this file got exif_imagetype()'s approval.

But, getimagesize() returned false, not recognizing it as image.

So for our purposes, using getimagesize() seems to be sufficient, and
actually more effective than the recommended method of looking for the
magic bytes.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1577992

Title:
  Mitigate "ImageTragick" vulnerability in our usage of ImageMagick

Status in Mahara:
  Invalid

Bug description:
  A recent vulnerability in the ImageMagick library has been announced:
  https://imagetragick.com/

  Mahara currently lists the PHP imagick extension as an optional
  library. If supplied, it is used when we need to do a server-side
  resize of a BMP file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1577992/+subscriptions