Replace Imagick with something better #13099
Comments
enoch85
added
enhancement
0. Needs triage
|
Ref #12821 I see the concerns and could imagine to move the warning into the @skjnldsv @juliushaertl looks like @nextcloud/vm and @nextcloud/snap not going to add Edit: There is already a warning that some things does not work: |
Nothing allow us to properly convert images types (especially svg) with php other than imagick (that I'm aware of) unfortunately. |
|
Apart from this favicon svg generation the theming app works fine without |
|
@danielkesselberg avatars will be not as great looking without imagick. |
|
How about the performance without |
|
From what I've read, most of the ImageMagick CVEs come from individual filters or filetypes that we probably don't care about -- is there a way to whitelist ImageMagick (and GraphicsMagick to a lesser extent) have had quite a large number of CVEs, mostly due to the sheer amount of formats and features that users need to process images. I would say a good first step would be to figure out a whitelist hardening configuration that we can use across the board, and then we can evaluate switching away from ImageMagick if that's not sufficient. |
|
See also Imagick/imagick#262 |
|
There are also a couple of ways we could restrict |
|
@skjnldsv So something like https://github.com/flyimg/flyimg wouldn't work? |
|
@enoch85 that would require shell_exec. Yes, we could rely on external software (like inkscape for example). But this is not really recommended to do on php. @rullzer ? EDIT: sorry, I thought it was another software. Yes, we can use an external docker as well. We actually have a PoC somewhere for that. But this is a really heavy dependency and this would not scale to every setup. Also, most people don't use docker :/ |
|
Thanks for this, @enoch85. It's probably no surprise that I completely agree on this issue. In the snap it's not even possible for people to use it, so folks will just see the warning forever and be unable to do anything. So at the very least, packagers should be able to disable this warning without triggering an integrity failure. Even better, Nextcloud should just stop suggesting it be installed if it's not. If one doesn't miss the functionality it provides, all it does is make the general populous less secure. Best yet: find an alternative so everyone can enjoy the functionality without trading security for it. |
Let's be clear here, we all agree 😝 |
|
I'm glad we agree on that, but I'm also realistic: I don't know of an alternative off the top of my head either. While we look for one, can Nextcloud please stop complaining if imagick is not installed? |
|
How about a temporary solution that shows this special warning as one that can be confirmed as read and then be permanently hidden? |
|
Is it just SVG that GD didn't support? How about https://github.com/meyfa/php-svg? |
|
I'm not sure if a less common extensions with only few/one maintainers more secure (and more reliable for e.g. compatibility) than ImageMagick. There are indeed more filetypes, but:
https://docs.nextcloud.com/server/stable/admin_manual/configuration_files/previews_configuration.html |
It seems like that's more like an API/microservice to manipulate images, but under the hood it's also using ImageMagick https://github.com/flyimg/flyimg#technology-stack:
|
It is not a hard error message, but a warning, so I see no reason why, we should hide this. It just informs admins that they are missing a dependency that might cause some features to not work properly. Regarding the security concerns, if previews for those files are not enabled we don't pass user provided files to imagemagick as far as I know. The theming app is limited to admins, so there is no attack vector here, since the admin is considered as trusted anyway. |
|
As soon as imagick is available it can be used by any application, no? That's the big problem here. It's easy to use incorrectly and it's easy to install third-party apps that do so. |
|
How about GraphicsMagick, a fork of IM. Does it have the same security problems? http://www.graphicsmagick.org/ From their website: GM is more efficient so it gets the job done faster using fewer resources. |
|
GraphicsMagick seems to be API compatible to imagemagick, so it could be a drop in replacement in any setup as far as I can tell. |
|
https://pecl.php.net/package/gmagick there is no stable release 😞 |
|
The imagemagick/GraphicsMagick binary is only required for extended file types like SVG: |
|
The ffmpeg problem is, fortunately, patched now for FreeBSD. Hopefully will be committed soon, but for now: |
|
Looks to me like graphicsmagick could be a good replacement to imagemagick in the meantime. |
szaimen
added
1. to develop
szaimen
changed the title
|
cc @nextcloud/server @nextcloud/security |
|
Anyone familiar with libvips? The benchmarks and reviews look great. |
|
My experience with it was in the context of Ghost via "sharp" requiring too new of a libvips (Debian Buster has 8.7 and they required 8.9+) which caused a host of issues for getting it successfully installed, so I'd suggest surveying what version of libvips is available in the expected target environments and ensuring the lowest common denominator meets the needs of the project before committing (but that's just my 2c; no real stake here 😇). |
enoch85
changed the title
enoch85
changed the title
|
I still think this is an ongoing discussion though. Mainly this issue exist due to the security concerns, and whatever replacing Imagick needs to be better OR not produce a warning. |
|
also note: some research done with an external preview generator: #24166 |
szaimen
added
2. developing
|
While someone will continue developing this feature, what do you think if we proceed by marking the warning as INFO in the Administration Overview as suggested by @kerberizer in nextcloud/docker/1414#issuecomment-945842317? |
This tempts admins into installing insecure packages to make the warning go away, even going so far as to [impurely modify running containers](nextcloud/docker#1414 (comment)). Changing the warning to trigger if the php-imagick module is loaded is more in line with the actual upstream recommendation, and hopefully helps unsuspecting users who have hacked around the warning in the past realize this. Draft because: - [ ] Untested (will try building this all this evening) - [ ] Translations are missing, covered are: - [x] English - [x] German Band-aid for nextcloud#13099, while we wait for a proper solution with libvips or somesuch.
|
Closing as per #24166 |
|
oh man, that's awesome |
and others
EDIT (SEO): The PHP module "imagick" is not enabled although the theming app is. For favicon generation to work correctly, you need to install and enable this module.
A few days ago it was brought up to my attention that using Imagick could have very negative effects on security. The Nextcloud snap decided to not using it due to that fact, and I've now mitigated the same threat(s) as well by not using it in the Nextcloud VM.
Here are the discussion regarding the decision in the Nextcloud snap, and I think it totally makes sense not to use it in the Nextcloud Server as well.
The situation now though is that it's recomended and the setup checks will inform the user that the package is missing. As Nextcloud is advertising it's secure, then why use a package that is prune to a lot of CVEs in the past?
Regarding alternatives I think this post sums it up quite well.
Please consider removing the recommendation in future versions, and please also consider replacing the use of Imagick with something better and more secure.
EDIT 2: We now install Imaginary as a replacement for this in the Nextcloud VM.
The text was updated successfully, but these errors were encountered: