From c1b8d4bf2a36cd59e31758a9e6af872c17c4cfb8 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@theqtcompany.com>
Date: Tue, 3 May 2016 13:34:22 +0200
Subject: Only load QImageIO plugins from white-listed formats

Not all QImage plugins are safe to load from the internet. We should
only load formats that are well-used on the internet and we can be
reasonably sure are safe.

[ChangeLog][WebKit][Behavior Change] QtWebkit will no longer support
any QImage plugin with the Size option, but instead only decode formats
that have been whitelisted. If you are using QtWebKit for controlled
content and wish to override the white-listed it can now be done with
the environment variable QTWEBKIT_IMAGEFORMAT_WHITELIST which takes a
comma-separated list of QImageIO formats.

Change-Id: Ifc4f1a3addfa4ec117697a12000db3c265422314
Reviewed-by: Richard J. Moore <rich@kde.org>
---
 .../platform/graphics/qt/ImageDecoderQt.cpp        | 25 ++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/Source/WebCore/platform/graphics/qt/ImageDecoderQt.cpp b/Source/WebCore/platform/graphics/qt/ImageDecoderQt.cpp
index 2917815bd..74696c23d 100644
--- a/Source/WebCore/platform/graphics/qt/ImageDecoderQt.cpp
+++ b/Source/WebCore/platform/graphics/qt/ImageDecoderQt.cpp
@@ -31,6 +31,7 @@
 
 #include <QtCore/QBuffer>
 #include <QtCore/QByteArray>
+#include <QtCore/QSet>
 #include <QtGui/QImageReader>
 
 namespace WebCore {
@@ -45,6 +46,25 @@ ImageDecoderQt::~ImageDecoderQt()
 {
 }
 
+static const char* s_formatWhiteList[] = {"png", "jpeg", "gif", "webp", "bmp", "svg", "ico", 0};
+
+static bool isFormatWhiteListed(const QByteArray &format)
+{
+    static QSet<QByteArray> whiteListSet;
+    if (whiteListSet.isEmpty()) {
+        QByteArray whiteListEnv = qgetenv("QTWEBKIT_IMAGEFORMAT_WHITELIST");
+        if (!whiteListEnv.isEmpty())
+            whiteListSet = QSet<QByteArray>::fromList(whiteListEnv.split(','));
+
+        const char **formatIt  = s_formatWhiteList;
+        while (*formatIt) {
+            whiteListSet.insert(QByteArray(*formatIt));
+            ++formatIt;
+        }
+    }
+    return whiteListSet.contains(format);
+}
+
 void ImageDecoderQt::setData(SharedBuffer* data, bool allDataReceived)
 {
     if (failed())
@@ -73,6 +93,11 @@ void ImageDecoderQt::setData(SharedBuffer* data, bool allDataReceived)
 
     // QImageReader only allows retrieving the format before reading the image
     m_format = m_reader->format();
+    if (!isFormatWhiteListed(m_format)) {
+        qWarning("Image of format '%s' blocked because it is not considered safe. If you are sure it is safe to do so, you can white-list the format by setting the environment variable QTWEBKIT_IMAGEFORMAT_WHITELIST=%s", m_format.constData(), m_format.constData());
+        setFailed();
+        m_reader.clear();
+    }
 }
 
 bool ImageDecoderQt::isSizeAvailable()
-- 
cgit v1.2.1