Henning You can indeed turn it off. The rewriter is injectable so that you can do exactly as you state and use your own processors.
As for the more general issue of the susceptibility of image libraries to attack, Im well aware of the issues with JAI, AWT and ImageMagick, the CL will include test cases that validate that the code is safe against many known attacks so I would encourage you to take a look at those. In addition if people have sample images that they use to reproduce VM attacks I strongly suggest you do what Im doing and contribute them to the Sanselan project. I dont know if you've taken a look at Sanselan in detail but it is generally quite resilient against malicious buffer overrun attacks that allow you to pwn up JAI etc. and being pure Java you cant really do more than DOS it. The remaining issue I have with it is it doesnt have a guard against excessive memory allocations for trivial images. -Louis On Mon, Jan 26, 2009 at 10:48 PM, Henning Schmiedehausen < hgsch...@googlemail.com> wrote: > Having fought with image rewriting on our platform a little little bit > (some of my colleagues have torn their hair out over it), I know that > this sounds like a good idea. It only sounds like one. There is no > Java image library (JAI, AWT, JNI to ImageMagick, you name it) than > can resist a determined attacker or a dumb user wanting to take your > JVM down. End of story. > > Please, at least, add a switch so that one can turn it off. Thanks. At > least I don't plan to let our Shindig installs to go near there and if > I would rewrite images, I would use our painstakely tuned image > processors. Which don't use Java code. I would assume that at least > Paul has similar war stories to share. > > Ciao > Henning > > On Wed, Jan 21, 2009 at 15:52, Louis Ryan <lr...@google.com> wrote: > > So after a fair bit of research and learning about the evils of the Java > > ImageIO library I plan on re-writing the code using Sanselan ( > > http://incubator.apache.org/sanselan/site/index.html) which is an Apache > > incubator project for image handling in pure Java. I'm not aware of any > > issues of one incubator project depending on another incubator project > (and > > having such a rule would seem very odd) > > > > On Fri, Dec 12, 2008 at 3:15 PM, Brian Eaton <bea...@google.com> wrote: > > > >> This significantly increases the security risk to Shindig deployments. > >> We definitely should not turn this on by default, and I'm not sure we > >> should do it at all. > >> > >> The problem is that most Java image handling is done in native code > >> for performance reasons, and that image processing has historically > >> been a source of critical vulnerabilities in the JRE: > >> > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0243 > >> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2789 > >> > >> If a shindig deployment does turn this on, they need to be prepared to > >> patch their JRE on very short notice. That's not a realistic option > >> for most java shops. > >> > >> I'm going to look around for alternative implementations that are > >> easier to make secure. > >> > >> Cheers, > >> Brian > >> > >> On Fri, Dec 12, 2008 at 2:43 PM, <louiscr...@gmail.com> wrote: > >> > Reviewers: shindig-dev, > >> > > >> > Description: > >> > This code is the basis for integrating image rewriting into the > Shindig > >> > proxy pipeline. This code will try to make reasonable assumptions > about > >> > what target image format is most suitable and then serialize to that > >> > format. If the content is smaller than the original then it is used. A > >> > fairly high degree of configurability is added and protections to > ensure > >> > that rogue images cannot create exceesively large memory burdens on > the > >> > VM > >> > > >> > For sample traffic seen on Orkut this kind of rewriting can yield > pretty > >> > substantial reductions in image size. Ill post more thorough results > >> > later. > >> > > >> > Details > >> > GIF - We dont rewrite animated GIFs though we could it is an expensive > >> > process doing frame to frame differencing. We also dont rewrite > >> > transparent GIF currently though we could later with a reasonable > >> > AlphaImageLoader solution for IE6 > >> > > >> > PNG - Most PNG writers dont do a good job stripping metadata or > >> > minimizing palette and bit depth, or they use palettes when the image > is > >> > small. This will fix most of this. We also attempt to rewrite to JPEG > if > >> > the image is opaque and only if it yields a significant improvement ( > > > >> > 20%) over an efficient PNG. JPEG should only provide significant > >> > improvement if the image is photographic in nature. > >> > > >> > JPEG - We strip metadata and allow for configurable compression level. > >> > > >> > Please review this at http://codereview.appspot.com/10841 > >> > > >> > Affected files: > >> > java/common/conf/shindig.properties > >> > > >> > > java/gadgets/src/main/java/org/apache/shindig/gadgets/rewrite/image/BaseOptimizer.java > >> > > >> > > java/gadgets/src/main/java/org/apache/shindig/gadgets/rewrite/image/GIFOptimizer.java > >> > > >> > > java/gadgets/src/main/java/org/apache/shindig/gadgets/rewrite/image/ImageRewriter.java > >> > > >> > > java/gadgets/src/main/java/org/apache/shindig/gadgets/rewrite/image/ImageUtils.java > >> > > >> > > java/gadgets/src/main/java/org/apache/shindig/gadgets/rewrite/image/JPEGOptimizer.java > >> > > >> > > java/gadgets/src/main/java/org/apache/shindig/gadgets/rewrite/image/OptimizerConfig.java > >> > > >> > > java/gadgets/src/main/java/org/apache/shindig/gadgets/rewrite/image/PNGOptimizer.java > >> > > >> > > java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/image/BaseOptimizerTest.java > >> > > >> > > java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/image/GIFOptimizerTest.java > >> > > >> > > java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/image/ImageRewriterTest.java > >> > > >> > > java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/image/JPEGOptimizerTest.java > >> > > >> > > java/gadgets/src/test/java/org/apache/shindig/gadgets/rewrite/image/PNGOptimizerTest.java > >> > > >> > > java/gadgets/src/test/resources/org/apache/shindig/gadgets/rewrite/image/animated.gif > >> > > >> > > java/gadgets/src/test/resources/org/apache/shindig/gadgets/rewrite/image/inefficient.png > >> > > >> > > java/gadgets/src/test/resources/org/apache/shindig/gadgets/rewrite/image/large.gif > >> > > >> > > java/gadgets/src/test/resources/org/apache/shindig/gadgets/rewrite/image/large.jpg > >> > > >> > > java/gadgets/src/test/resources/org/apache/shindig/gadgets/rewrite/image/rgbawithnoalpha.png > >> > > >> > > java/gadgets/src/test/resources/org/apache/shindig/gadgets/rewrite/image/small.jpg > >> > > >> > > java/gadgets/src/test/resources/org/apache/shindig/gadgets/rewrite/image/unanimated.gif > >> > pom.xml > >> > > >> > > >> > > >> > > >
