An update on getimagesize(), and how it shouldn't be used for filetype detection. I created a fake BMP file by making a text file with this text: "BMHey there I am a fake a BMP file.", and naming it "fake.bmp". The magic number test for BMP files is that the first two bytes must be the ASCII "BM", so this file got exif_imagetype()'s approval.
But, getimagesize() returned false, not recognizing it as image. So for our purposes, using getimagesize() seems to be sufficient, and actually more effective than the recommended method of looking for the magic bytes. -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1577992 Title: Mitigate "ImageTragick" vulnerability in our usage of ImageMagick Status in Mahara: Invalid Bug description: A recent vulnerability in the ImageMagick library has been announced: https://imagetragick.com/ Mahara currently lists the PHP imagick extension as an optional library. If supplied, it is used when we need to do a server-side resize of a BMP file. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1577992/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
