Pascal Ernster
authored
Override Hyrax "create_derivatives" method to restrict "derivatives"/ thumbnail creation to safe file formats. Instead of trying to create thumbnails for "everything and the kitchen sink", only create thumbnails for file formats/MIME types that the the ImageMagick developers consider "web-safe": - GIF - JPEG - PNG For details on what ImageMagick considers "web-safe", see here: https://imagemagick.org/script/security-policy.php Also, don't generate derivatives at all for non-image formats, because those are even worse from a security standpoint. For example, audio and video files would otherwise be fed into ffmpeg, and document/office files would be fed into LibreOffice. Neither ffmpeg nor LibreOffice can be considered anywhere near safe enough to read/parse/convert any files inside a web application.