set `VIPS_BLOCK_UNTRUSTED` by default
jcupitt opened this issue · 2 comments
Hi all,
libvips 8.13 has a new feature for blocking untrusted loaders. You just set the env var VIPS_BLOCK_UNTRUSTED and all loaders which have not been fuzzed by oss-fuzz are prevented from executing. There's a bit in the release notes about this:
https://www.libvips.org/2022/05/28/What's-new-in-8.13.html
How about setting this by default for Image?
It would mean users would not need to make a libvips binary that excluded unsafe loaders -- they could just use the platform binary, and be reasonably sure no unsafe code was exposed to untrusted data.
This isn't a theoretical weakness -- several major distributions include unsafe loaders by default in their libvips binary (I'm trying not to be specific here, obviously), so without this env var setting you really do need to roll your own libvips binary if you want to sleep soundly at night.
@jcupitt Great suggestion, and congrats on getting 8.13 out the door! I'll do as you suggest (and recommend the same to @akash-akya who primarily deserve credit since its his vix that provides the Elixir wrapper for libvips).
I have added setting the env var as default as of Image version 0.7.0 - thanks for the implementing this and giving me the pointer.