Restrict which image formats we will decode in order to generate thumbnails

author: Olivier 'reivilibre <oliverw@matrix.org> 2024-11-22 15:30:29 +0000
committer: Quentin Gliech <quenting@element.io> 2024-12-03 09:53:21 +0100
commit: b64a4e5fbbbf119b6c65aedf0d999b4237d55503 (patch)
tree: 8db0d9d4924b8ae144433d4a3dac4821b6a81dcc
parent: Don't allow unsupported content-type (diff)
download: synapse-b64a4e5fbbbf119b6c65aedf0d999b4237d55503.tar.xz
1 files changed, 6 insertions, 1 deletions
diff --git a/synapse/media/thumbnailer.py b/synapse/media/thumbnailer.py
index 3845067835..d6b8ce4a09 100644
--- a/synapse/media/thumbnailer.py
+++ b/synapse/media/thumbnailer.py
@@ -67,6 +67,11 @@ class ThumbnailError(Exception):
 class Thumbnailer:
     FORMATS = {"image/jpeg": "JPEG", "image/png": "PNG"}
 
+    # Which image formats we allow Pillow to open.
+    # This should intentionally be kept restrictive, because the decoder of any
+    # format in this list becomes part of our trusted computing base.
+    PILLOW_FORMATS = ("jpeg", "png", "webp", "gif")
+
     @staticmethod
     def set_limits(max_image_pixels: int) -> None:
         Image.MAX_IMAGE_PIXELS = max_image_pixels
@@ -76,7 +81,7 @@ class Thumbnailer:
         self._closed = False
 
         try:
-            self.image = Image.open(input_path)
+            self.image = Image.open(input_path, formats=self.PILLOW_FORMATS)
         except OSError as e:
             # If an error occurs opening the image, a thumbnail won't be able to
             # be generated.
author	Olivier 'reivilibre <oliverw@matrix.org>	2024-11-22 15:30:29 +0000
committer	Quentin Gliech <quenting@element.io>	2024-12-03 09:53:21 +0100
commit	b64a4e5fbbbf119b6c65aedf0d999b4237d55503 (patch)
tree	8db0d9d4924b8ae144433d4a3dac4821b6a81dcc
parent	Don't allow unsupported content-type (diff)
download	synapse-b64a4e5fbbbf119b6c65aedf0d999b4237d55503.tar.xz