Phabricator and ImageTragick
Closed, ResolvedPublic


A set of vulnerabilities in ImageMagick (dubbed "ImageTragick") was recently disclosed:

Phabricator does not appear to be vulnerable:

  • We only use ImageMagick to process GIF files.
  • We verify that files have an image/gif MIME type on the server side with file (or finfo_open(), which is substantially equivalent) before processing them.
  • Users can not control any file paths (all paths given to ImageMagick are randomly generated temporary files).

If you are particularly concerned and wish to pursue an abundantly cautious course of action, you can disable Phabricator's integration with ImageMagick by turning off files.enable-imagemagick until you are able to deploy a patched version of ImageMagick.

Disabling this option only really impacts Phabricator's ability to resize animated GIFs and generate animated GIF macros. Although these are great losses, most installs should be able to survive without them for a little while.

Related Objects

epriestley closed this task as Resolved.

We don't appear to be affected directly and I've discussed this in the changelog now, so I'm going to close this out as I think there's no action remaining on our side. Let us know if anyone has questions, etc.