Apart from the obvious server-to-client transfer of window pixel data, we can receive compressed pixel data from a number of places: webcam, window icons, xdg menus, etc Some of those can flow back to the server. We should ensure that we only allow the encodings we support so that a vulnerability in another codec cannot be triggered from those code paths.
We only really care about: webp, png and jpeg for now. Those all have detectable headers.
Let's move the code to a utility function that can do the checking.
Image.open code that could be abused:
from PIL import Image from io import BytesIO buf = BytesIO(icondata) img = Image.open(buf) has_alpha = img.mode=="RGBA" width, height = img.size rowstride = width * (3+int(has_alpha)) pixbuf = get_pixbuf_from_data(img.tobytes(), has_alpha, width, height, rowstride)
Here's a list of the formats supported by Image File Formats (long!).
Work started in r22493: we filter tray icons and window icons (server to client), dbus and win32 notifiers only accept png (now actually enforced), webcam validates the encodings used. r22494 also removes support for jpeg2000 (#618) - that encoding was pretty useless anyway.
Work completed in:
To test, we have to build
--without-jpeg_decoder otherwise those faster cython decoders have precedence (and they don't need validating since they only decode the one format they are designed for).
Then just attach with
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2279