Bug #88424

Thumbnails of EPS files are not generated anymore

Added by Sebastian Schmal 8 months ago. Updated 8 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Image Generation / GIFBUILDER
Target version:
-
Start date:
2019-05-23
Due date:
% Done:

0%

TYPO3 Version:
8
PHP Version:
7.0
Tags:
ImageMagick
Complexity:
Is Regression:
Sprint Focus:

Description

Hi all,
Hi Oliver Hader,

after the Update from TYPO3 8.7.26 and close the Security-Fix for ImageMagick, so open a new Bug with EPS - Files!
After upload a .eps File Error: (Internal Server Error) Hochladen von Datei "test.eps" fehlgeschlagen!

The Upload works perfect, but no ThumbNail for this File.

In TYPO3 8.7.24 works all fine with EPS Files!

Thanks, Sebastian

History

#1 Updated by Georg Ringer 8 months ago

  • Project changed from TYPO3 Core to Core Security
  • Category deleted (Image Generation / GIFBUILDER)

#2 Updated by Oliver Hader 8 months ago

  • Project changed from Core Security to TYPO3 Core
  • Subject changed from [SECURITY] Enclose file type scope when invoking ImageMagick to Thumbnails of EPS files are not generated anymore

#3 Updated by Oliver Hader 8 months ago

  • Category set to Image Generation / GIFBUILDER

#4 Updated by Oliver Hader 8 months ago

Disallowing PostScript files (PS, EPS, ...) was exactly the scope of the security fix in https://review.typo3.org/c/Packages/TYPO3.CMS/+/60700 since PS instructions would be directly executed by the according interpreter (GhostScript) when being invoked through ImageMagick.

The only thing I could think of is to have a possibility to weaken denied file extensions (like EPS) on a particular context and configured explicitly for a particular TYPO3 instance, e.g.

  • allow EPS rendering in backend file list module
  • still deny EPS rendering for file uploads in some frontend contact form

In case there are alternative suggestions please add them to this ticket. Thx

#5 Updated by Sebastian Schmal 8 months ago

Oliver Hader wrote:

Disallowing PostScript files (PS, EPS, ...) was exactly the scope of the security fix in https://review.typo3.org/c/Packages/TYPO3.CMS/+/60700 since PS instructions would be directly executed by the according interpreter (GhostScript) when being invoked through ImageMagick.

The only thing I could think of is to have a possibility to weaken denied file extensions (like EPS) on a particular context and configured explicitly for a particular TYPO3 instance, e.g.

  • allow EPS rendering in backend file list module
  • still deny EPS rendering for file uploads in some frontend contact form

In case there are alternative suggestions please add them to this ticket. Thx

Hi Oliver, thanks for the answer!
And allow only EPS-Files Update without Thumbnail?
The Upload from EPS works fine, but maybe you can disable the Thumbnail-Image for the Error Message.

Thanks, Sebastian

Also available in: Atom PDF