mirror of
https://codeberg.org/forgejo/forgejo
synced 2025-10-19 02:30:52 +02:00
78d92aafd7
Strips EXIF information from uploaded avatars (excluding the orientation tag), affecting both user & repo avatars. Adds a new subcommand `forgejo admin avatar-strip-exif` to perform a retroactive update of avatar files. Fixes #9608. ## Checklist The [contributor guide](https://forgejo.org/docs/next/contributor/) contains information that will be helpful to first time contributors. There also are a few [conditions for merging Pull Requests in Forgejo repositories](https://codeberg.org/forgejo/governance/src/branch/main/PullRequestsAgreement.md). You are also welcome to join the [Forgejo development chatroom](https://matrix.to/#/#forgejo-development:matrix.org). ### Tests - I added test coverage for Go changes... - [x] in their respective `*_test.go` for unit tests. - [ ] in the `tests/integration` directory if it involves interactions with a live Forgejo server. - I added test coverage for JavaScript changes... - [ ] in `web_src/js/*.test.js` if it can be unit tested. - [ ] in `tests/e2e/*.test.e2e.js` if it requires interactions with a live Forgejo server (see also the [developer guide for JavaScript testing](https://codeberg.org/forgejo/forgejo/src/branch/forgejo/tests/e2e/README.md#end-to-end-tests)). ### Documentation - [ ] I created a pull request [to the documentation](https://codeberg.org/forgejo/docs) to explain to Forgejo users how to use this change. - [x] I did not document these changes and I do not expect someone else to do it. ### Release notes - [ ] I do not want this change to show in the release notes. - [ ] I want the title to show in the release notes with a link to this pull request. - [x] I want the content of the `release-notes/<pull request number>.md` to be be used for the release notes instead of the title. <!--start release-notes-assistant--> ## Release notes <!--URL:https://codeberg.org/forgejo/forgejo--> - Features - [PR](https://codeberg.org/forgejo/forgejo/pulls/9638): <!--number 9638 --><!--line 0 --><!--description VXBsb2FkZWQgYXZhdGFyIGltYWdlcyBjYW4gc29tZXRpbWVzIGNvbnRhaW4gdW5leHBlY3RlZCBtZXRhZGF0YSBzdWNoIGFzIHRoZSBsb2NhdGlvbiB3aGVyZSB0aGUgaW1hZ2Ugd2FzIGNyZWF0ZWQsIG9yIHRoZSBkZXZpY2UgdGhlIGltYWdlIHdhcyBjcmVhdGVkIHdpdGgsIHN0b3JlZCBpbiBhIGZvcm1hdCBjYWxsZWQgRVhJRi4gRm9yZ2VqbyBub3cgcmVtb3ZlcyBFWElGIGRhdGEgd2hlbiBjdXN0b20gdXNlciBhbmQgcmVwb3NpdG9yeSBpbWFnZXMgYXJlIHVwbG9hZGVkIGluIG9yZGVyIHRvIHJlZHVjZSB0aGUgcmlzayBvZiBwZXJzb25hbGx5IGlkZW50aWZpYWJsZSBpbmZvcm1hdGlvbiBiZWluZyBsZWFrZWQgdW5leHBlY3RlZGx5LiBBIG5ldyBDTEkgc3ViY29tbWFuZCBgZm9yZ2VqbyBkb2N0b3IgYXZhdGFyLXN0cmlwLWV4aWZgIGNhbiBiZSB1c2VkIHRvIHN0cmlwIEVYSUYgaW5mb3JtYXRpb24gZnJvbSBhbGwgZXhpc3RpbmcgYXZhdGFyczsgd2UgcmVjb21tZW5kIHRoYXQgYWRtaW5pc3RyYXRvcnMgcnVuIHRoaXMgY29tbWFuZCBvbmNlIGFmdGVyIHVwZ3JhZGUgaW4gb3JkZXIgdG8gbWluaW1pemUgdGhpcyByaXNrIGZvciBleGlzdGluZyBzdG9yZWQgZmlsZXMu-->Uploaded avatar images can sometimes contain unexpected metadata such as the location where the image was created, or the device the image was created with, stored in a format called EXIF. Forgejo now removes EXIF data when custom user and repository images are uploaded in order to reduce the risk of personally identifiable information being leaked unexpectedly. A new CLI subcommand `forgejo doctor avatar-strip-exif` can be used to strip EXIF information from all existing avatars; we recommend that administrators run this command once after upgrade in order to minimize this risk for existing stored files.<!--description--> <!--end release-notes-assistant--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/9638 Reviewed-by: Gusted <gusted@noreply.codeberg.org> Co-authored-by: Mathieu Fenniak <mathieu@fenniak.net> Co-committed-by: Mathieu Fenniak <mathieu@fenniak.net>
155 lines
5.2 KiB
Go
155 lines
5.2 KiB
Go
// Copyright 2014 The Gogs Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package avatar
|
|
|
|
import (
|
|
"bytes"
|
|
"errors"
|
|
"fmt"
|
|
"image"
|
|
"image/color"
|
|
"image/png"
|
|
"io"
|
|
|
|
_ "image/gif" // for processing gif images
|
|
_ "image/jpeg" // for processing jpeg images
|
|
|
|
"forgejo.org/modules/avatar/identicon"
|
|
"forgejo.org/modules/setting"
|
|
|
|
exif_terminator "code.superseriousbusiness.org/exif-terminator"
|
|
"golang.org/x/image/draw"
|
|
|
|
_ "golang.org/x/image/webp" // for processing webp images
|
|
)
|
|
|
|
// DefaultAvatarSize is the target CSS pixel size for avatar generation. It is
|
|
// multiplied by setting.Avatar.RenderedSizeFactor and the resulting size is the
|
|
// usual size of avatar image saved on server, unless the original file is smaller
|
|
// than the size after resizing.
|
|
const DefaultAvatarSize = 256
|
|
|
|
// RandomImageSize generates and returns a random avatar image unique to input data
|
|
// in custom size (height and width).
|
|
func RandomImageSize(size int, data []byte) (image.Image, error) {
|
|
// we use white as background, and use dark colors to draw blocks
|
|
imgMaker, err := identicon.New(size, color.White, identicon.DarkColors...)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("identicon.New: %w", err)
|
|
}
|
|
return imgMaker.Make(data), nil
|
|
}
|
|
|
|
// RandomImage generates and returns a random avatar image unique to input data
|
|
// in default size (height and width).
|
|
func RandomImage(data []byte) (image.Image, error) {
|
|
return RandomImageSize(DefaultAvatarSize*setting.Avatar.RenderedSizeFactor, data)
|
|
}
|
|
|
|
// processAvatarImage process the avatar image data, crop and resize it if necessary.
|
|
// the returned data could be the original image if no processing is needed.
|
|
func processAvatarImage(data []byte, maxOriginSize int64) ([]byte, error) {
|
|
imgCfg, imgType, err := image.DecodeConfig(bytes.NewReader(data))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("image.DecodeConfig: %w", err)
|
|
}
|
|
|
|
// for safety, only accept known types explicitly
|
|
if imgType != "png" && imgType != "jpeg" && imgType != "gif" && imgType != "webp" {
|
|
return nil, errors.New("unsupported avatar image type")
|
|
}
|
|
|
|
// do not process image which is too large, it would consume too much memory
|
|
if imgCfg.Width > setting.Avatar.MaxWidth {
|
|
return nil, fmt.Errorf("image width is too large: %d > %d", imgCfg.Width, setting.Avatar.MaxWidth)
|
|
}
|
|
if imgCfg.Height > setting.Avatar.MaxHeight {
|
|
return nil, fmt.Errorf("image height is too large: %d > %d", imgCfg.Height, setting.Avatar.MaxHeight)
|
|
}
|
|
|
|
var cleanedBytes []byte
|
|
if imgType != "gif" { // "gif" is the only imgType supported above, but not supported by exif_terminator
|
|
cleanedData, err := exif_terminator.Terminate(bytes.NewReader(data), imgType)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error cleaning exif data: %w", err)
|
|
}
|
|
cleanedBytes, err = io.ReadAll(cleanedData)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error reading cleaned data: %w", err)
|
|
}
|
|
} else { // gif
|
|
cleanedBytes = data
|
|
}
|
|
|
|
// If the origin is small enough, just use it, then APNG could be supported,
|
|
// otherwise, if the image is processed later, APNG loses animation.
|
|
// And one more thing, webp is not fully supported, for animated webp, image.DecodeConfig works but Decode fails.
|
|
// So for animated webp, if the uploaded file is smaller than maxOriginSize, it will be used, if it's larger, there will be an error.
|
|
if len(data) < int(maxOriginSize) {
|
|
return cleanedBytes, nil
|
|
}
|
|
|
|
img, _, err := image.Decode(bytes.NewReader(cleanedBytes))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("image.Decode: %w", err)
|
|
}
|
|
|
|
// try to crop and resize the origin image if necessary
|
|
img = cropSquare(img)
|
|
|
|
targetSize := DefaultAvatarSize * setting.Avatar.RenderedSizeFactor
|
|
img = scale(img, targetSize, targetSize, draw.BiLinear)
|
|
|
|
// try to encode the cropped/resized image to png
|
|
bs := bytes.Buffer{}
|
|
if err = png.Encode(&bs, img); err != nil {
|
|
return nil, err
|
|
}
|
|
resized := bs.Bytes()
|
|
|
|
// usually the png compression is not good enough, use the original image (no cropping/resizing) if the origin is smaller
|
|
if len(data) <= len(resized) {
|
|
return cleanedBytes, nil
|
|
}
|
|
|
|
return resized, nil
|
|
}
|
|
|
|
// ProcessAvatarImage process the avatar image data, crop and resize it if necessary.
|
|
// the returned data could be the original image if no processing is needed.
|
|
func ProcessAvatarImage(data []byte) ([]byte, error) {
|
|
return processAvatarImage(data, setting.Avatar.MaxOriginSize)
|
|
}
|
|
|
|
// scale resizes the image to width x height using the given scaler.
|
|
func scale(src image.Image, width, height int, scale draw.Scaler) image.Image {
|
|
rect := image.Rect(0, 0, width, height)
|
|
dst := image.NewRGBA(rect)
|
|
scale.Scale(dst, rect, src, src.Bounds(), draw.Over, nil)
|
|
return dst
|
|
}
|
|
|
|
// cropSquare crops the largest square image from the center of the image.
|
|
// If the image is already square, it is returned unchanged.
|
|
func cropSquare(src image.Image) image.Image {
|
|
bounds := src.Bounds()
|
|
if bounds.Dx() == bounds.Dy() {
|
|
return src
|
|
}
|
|
|
|
var rect image.Rectangle
|
|
if bounds.Dx() > bounds.Dy() {
|
|
// width > height
|
|
size := bounds.Dy()
|
|
rect = image.Rect((bounds.Dx()-size)/2, 0, (bounds.Dx()+size)/2, size)
|
|
} else {
|
|
// width < height
|
|
size := bounds.Dx()
|
|
rect = image.Rect(0, (bounds.Dy()-size)/2, size, (bounds.Dy()+size)/2)
|
|
}
|
|
|
|
dst := image.NewRGBA(rect)
|
|
draw.Draw(dst, rect, src, rect.Min, draw.Src)
|
|
return dst
|
|
}
|