Apart from the obvious server-to-client transfer of window pixel data, we can receive compressed pixel data from a number of places: webcam, window icons, xdg menus, etc Some of those can flow back to the server. We should ensure that we only allow the encodings we support so that a vulnerability in another codec cannot be triggered from those code paths.
We only really care about: webp, png and jpeg for now. Those all have detectable headers.
Let's move the code to a utility function that can do the checking.
Example Image.open
code that could be abused:
from PIL import Image from io import BytesIO buf = BytesIO(icondata) img = Image.open(buf) has_alpha = img.mode=="RGBA" width, height = img.size rowstride = width * (3+int(has_alpha)) pixbuf = get_pixbuf_from_data(img.tobytes(), has_alpha, width, height, rowstride)
Here's a list of the formats supported by Image File Formats (long!).
Work started in r22493: we filter tray icons and window icons (server to client), dbus and win32 notifiers only accept png (now actually enforced), webcam validates the encodings used. r22494 also removes support for jpeg2000 (#618) - that encoding was pretty useless anyway.
Still TODO:
Work completed in:
To test, we have to build --without-webp
and --without-jpeg_decoder
otherwise those faster cython decoders have precedence (and they don't need validating since they only decode the one format they are designed for).
Then just attach with --encodings=jpeg
(or --encodings=png
.
r22493 caused a regression with pngP and png/L, fixed in r24936.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2279