Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Diverse Image Format Support #119

Open
5 tasks
DonaldTsang opened this issue Jul 3, 2019 · 5 comments
Open
5 tasks

Diverse Image Format Support #119

DonaldTsang opened this issue Jul 3, 2019 · 5 comments

Comments

@DonaldTsang
Copy link

DonaldTsang commented Jul 3, 2019
edited
Loading

  • HEIF (h264/h265 based)
  • AVIF (AV1 based)
  • WebP (VP8/VP9 based)
  • FLIF or FUIF (either one)
  • SVG (vector graphics)
  • Others
@DangerOnTheRanger
Copy link
Owner

WebP support has been in for a little while now, I think. HEIF isn't possible at the moment due to patent/licensing issues. The other bitmap image formats are currently not supported by Pillow, which is the bitmap image library Maniwani uses. Calling out to Imagemagick the way a lot of other imageboard engines do could work for supporting the other bitmap formats, but would lead to an additional runtime dependency with a very large attack surface for a bunch of formats that have questionable popularity at the present, so I'm hesitant about doing that.

I think SVG support would be reasonable, though; we could discuss further about implementing that if you'd like.

@DonaldTsang
Copy link
Author

@DangerOnTheRanger will keep an eye out for AVIF, FLIF and FUIF inclusion in Imagemagick.

Also for SVG, it is very useful for people of similar interest (e.g. table top gamers, world building enthusiast) to share them. SVG thumbnails should be easy given Python has libraries for it
(see https://pypi.org/project/preview-generator/ for example)

@DangerOnTheRanger
Copy link
Owner

SVG support is fine, it's hanging a dependency on Imagemagick that I'd rather not do. Imagemagick already has support for FLIF, but as I mentioned earlier is probably not something that should be exposed to any form of untrusted input. Considering how new and niche the other formats in the list besides SVG are, I don't think the benefit of including them via Imagemagick outweighs the security cost.

If there were an alternative library that provided a way to thumbnail those formats, I would be open to looking at it (though I still don't think they are that popular to begin with), but I don't want to use Imagemagick at this time.

@DonaldTsang
Copy link
Author

@DangerOnTheRanger in this case, put it on hold.

Imagemagick already has support for FLIF, but as I mentioned earlier is probably not something that should be exposed to any form of untrusted input.
Some context would be good.

@DangerOnTheRanger
Copy link
Owner

Imagemagick has a very large and very impactful list of CVEs that I linked earlier; up to and including remote code execution. It's not something I feel comfortable depending upon for the sake of security. With the very lax way a lot of imageboards deployments are maintained, the problem is compounded further, so that's even more reason not to rely on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DangerOnTheRanger @DonaldTsang