Skip to content

fix(sec): Overwrite ImageMagick's security policy to tighten it up (part1) #811

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
antobinary merged 1 commit into from
Dec 2, 2025
Merged

fix(sec): Overwrite ImageMagick's security policy to tighten it up (part1) #811

antobinary merged 1 commit into from
Dec 2, 2025

Conversation

@antobinary
Copy link
Member

@antobinary antobinary commented Dec 2, 2025
edited
Loading

The default policy.xml for ImageMagick needed to be sealed further for us to operate safely.

This is part of https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v28f-mvg5-mv7m which will be published soon.

We recommend that administrators apply the changes to /etc/ImageMagick-6/policy.xml whether via bbb-install.sh or through other means.

Note: to improve usability, consider dropping SVG from the list of supported presentation file formats via:

Adding to /etc/bigbluebutton/bbb-html5.yml (and restart BBB afterwards)

public:
  presentation:
    uploadValidMimeTypes:
      - extension: .pdf
        mime: application/pdf
      - extension: .doc
        mime: application/msword
      - extension: .docx
        mime: application/vnd.openxmlformats-officedocument.wordprocessingml.document
      - extension: .xls
        mime: application/vnd.ms-excel
      - extension: .xlsx
        mime: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
      - extension: .ppt
        mime: application/vnd.ms-powerpoint
      - extension: .pptx
        mime: application/vnd.openxmlformats-officedocument.presentationml.presentation
      - extension: .txt
        mime: text/plain
      - extension: .rtf
        mime: application/rtf
      - extension: .odt
        mime: application/vnd.oasis.opendocument.text
      - extension: .ods
        mime: application/vnd.oasis.opendocument.spreadsheet
      - extension: .odp
        mime: application/vnd.oasis.opendocument.presentation
      - extension: .odg
        mime: application/vnd.oasis.opendocument.graphics
      - extension: .jpg
        mime: image/jpeg
      - extension: .jpeg
        mime: image/jpeg
      - extension: .png
        mime: image/png
      - extension: .webp
        mime: image/webp

@antobinary antobinary merged commit 7a66409 into v3.0.x-release Dec 2, 2025
2 checks passed
antobinary added a commit that referenced this pull request Dec 2, 2025
@antobinary
fix(sec): Overwrite ImageMagick's security policy to tighten it up 
09768e9 
Addendum to #811
@antobinary antobinary mentioned this pull request Dec 2, 2025
Merged
@antobinary antobinary changed the title fix(sec): Overwrite ImageMagick's security policy to tighten it up fix(sec): Overwrite ImageMagick's security policy to tighten it up (part1) Dec 2, 2025
@antobinary
Copy link
Member Author

antobinary commented Dec 2, 2025

Part 2 #812 is mandatory!!

antobinary added a commit to bigbluebutton/bigbluebutton that referenced this pull request Dec 4, 2025
@antobinary
chore: Drop SVG presentation file support (client side)
472ec76 
Related to https://groups.google.com/g/bigbluebutton-dev/c/Veh3jvrADDc bigbluebutton/bbb-install#811 and bigbluebutton/bbb-install#812
This was referenced Dec 4, 2025
Merged
Merged
@antobinary antobinary deleted the image-magick-policy branch December 5, 2025 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@antobinary