From a7d775654569555f8a848deb5b6248cad38f2b77 Mon Sep 17 00:00:00 2001
From: Eliot Berriot <contact@eliotberriot.com>
Date: Wed, 2 Jan 2019 12:39:00 +0100
Subject: [PATCH] Fix #374: Strip EXIF metadata from uploaded avatars to avoid
 leaking private data

---
 api/funkwhale_api/common/serializers.py |  26 ++++++++++++++++++++++++
 api/funkwhale_api/users/serializers.py  |  10 +++++++--
 api/tests/common/exif.jpg               | Bin 0 -> 4278 bytes
 api/tests/common/test_serializers.py    |  19 +++++++++++++++++
 changes/changelog.d/374.enhancement     |   1 +
 5 files changed, 54 insertions(+), 2 deletions(-)
 create mode 100644 api/tests/common/exif.jpg
 create mode 100644 changes/changelog.d/374.enhancement

diff --git a/api/funkwhale_api/common/serializers.py b/api/funkwhale_api/common/serializers.py
index e253906de..e7bbf8f1f 100644
--- a/api/funkwhale_api/common/serializers.py
+++ b/api/funkwhale_api/common/serializers.py
@@ -1,8 +1,12 @@
 import collections
+import io
+import PIL
+import os
 
 from rest_framework import serializers
 
 from django.core.exceptions import ObjectDoesNotExist
+from django.core.files.uploadedfile import SimpleUploadedFile
 from django.utils.encoding import smart_text
 from django.utils.translation import ugettext_lazy as _
 
@@ -190,3 +194,25 @@ def track_fields_for_update(*fields):
         return serializer_class
 
     return decorator
+
+
+class StripExifImageField(serializers.ImageField):
+    def to_internal_value(self, data):
+        file_obj = super().to_internal_value(data)
+
+        image = PIL.Image.open(file_obj)
+        data = list(image.getdata())
+        image_without_exif = PIL.Image.new(image.mode, image.size)
+        image_without_exif.putdata(data)
+
+        with io.BytesIO() as output:
+            image_without_exif.save(
+                output,
+                format=PIL.Image.EXTENSION[os.path.splitext(file_obj.name)[-1]],
+                quality=100,
+            )
+            content = output.getvalue()
+
+        return SimpleUploadedFile(
+            file_obj.name, content, content_type=file_obj.content_type
+        )
diff --git a/api/funkwhale_api/users/serializers.py b/api/funkwhale_api/users/serializers.py
index bcacc3144..c75604f6e 100644
--- a/api/funkwhale_api/users/serializers.py
+++ b/api/funkwhale_api/users/serializers.py
@@ -11,7 +11,7 @@ from rest_framework import serializers
 from versatileimagefield.serializers import VersatileImageFieldSerializer
 
 from funkwhale_api.activity import serializers as activity_serializers
-
+from funkwhale_api.common import serializers as common_serializers
 from . import models
 
 
@@ -66,7 +66,13 @@ class UserActivitySerializer(activity_serializers.ModelSerializer):
         return "Person"
 
 
-avatar_field = VersatileImageFieldSerializer(allow_null=True, sizes="square")
+class AvatarField(
+    common_serializers.StripExifImageField, VersatileImageFieldSerializer
+):
+    pass
+
+
+avatar_field = AvatarField(allow_null=True, sizes="square")
 
 
 class UserBasicSerializer(serializers.ModelSerializer):
diff --git a/api/tests/common/exif.jpg b/api/tests/common/exif.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..c13141aff10c549e994468090649702c5c13c086
GIT binary patch
literal 4278
zcmex=<NpH&0WUXCHwH#VMg|WC4+e(+4>`}dR%E6zF!=g1XfZG_a4>K)@-r|oFfed3
zFfdGF6acdY7#JAlFbXj+GcYhPGB7eQFiJ77g4qlVYZ#^B>@AEMP&G^p42*_gz1$28
z40{-jz-$o)28I(%!U#1@Gr-~?v+lHKGO$3+e8j-OyvHrn%hS!%$CrV@Ei*4QAhW{E
z(!e0f-`|&kfdS-pkUJo>yQgn}f{~tyo+$%^k%57Qm4UgHv7v&Yxs{>0m8ltnf`Wnq
z0|SFh(_ENKnJhY#5U%J@hq6-`7$z_<urn|)uoxH_8cbjYyH13GfyrS43!EJ?krASX
zk%^gMA`{%qj7f|PTo4~H6-+{iS4?7ti#JSSfwMa%vBLFEn8Xfs11kf=Bu*$B6a`#x
zH8UpFfbD(9z`(R%0nD9-1_lclq3RhK7#1+WLosCmGo0<cfEC7Op0|h(W+rprB7Qh~
z+9Cm{Im`?Ui^QR9CI*JZ5W5&b(Z3ktcSc4~EPyfN1O^6%6e9xzLn{L#D?>{K12ZcV
z11kelP+VY$F)%QI;)08TfjJ1IkAVTApMintErbs?l$n8nQ3uMu#lXP81xpP)3=9l{
z3?K)A5{rSMu>pes69WeW1H(N~&<ikwlLg47Oi(t+JZ2=e0F(_%<bncRVD-;H&Vq`A
z)GH#f4UpJ|NNgi08ypgX5PLy-8HAA7!U#4a5}OH$4btQ0>E{YbqzvHX!N9;*0rC!<
zW@2Cjr$3e;OA7`DCU81nF)%bR0O@AnU}T2I78?Tt_I%2sgvh5XTFCj7i4m4ESd5t9
zsfTq6ay|vyf|l!0$`fe0@c%Z0GXozd7Y`RF9}hPVKR=&<sFIkdu&}6>oPwm1k&cOp
zp^kyRxt+hWxs|uIzJY6;n|Dx1WMrhNQ({I!Sh|0BWGKiGMt**NQ6W(cF)@u$O9RVL
zlEME241ydC77X6Zj7khlf{e_9jQ@`?$TKi7vND1J)JqJEOw25-Z0sDIT-^VUFl-fI
zU}9uuW@2GxWo2PuU|_5TWpWllRv|@0M>gTWM0TY@5u?V53ptdXHXalWy7)oGIH{<K
zlS@ooLQ+aqO<hA%%f!^o+``hz*~Qh(-NVx>I3zSIJR&kGIVCkMJtH%#xTLhKyrQzI
zxuvzOy`!^h(&Q;qr%j(RbJn88OO`HMzGCI7O`ErD-L`$l&RvHNA31vL_=%IJE?vHI
z_1g6tH*Y<B^!UlsXU|`}eD(3u=PzHsegE<E7sy|X49s9(fe47t(EKIHz{JSJ!otkL
z4)PZxQ#r`vf-J0xhHOHPf$WKe!b(Ps93oB=7j8VrscandK{To8BA1wo$wSqTAg_Ua
zMx4i*$nqK7V+eoUV&GwBWMC3x7G$tzI54$XsPRhGtkC_FENVJ#bKjSJ^}J)ti7(yX
zw)H(e$LM(ed-08H4$2my#}+PIdVR(GUA^4p7DkgQWI{uxUduP$S3GOO<I{}+1yxt(
z-?*-J`fcl?h|fLZ(tE1{`m)V8Zp~hydUo4OK9!#I*O5hc@5G#c>J+(MhVi;-%#Q61
zF3X?gMf_**y82=76RX<iGj%uned6uz^Ln=Pr^wQUOO$IlOYRzpTEAN)^zq_O(XvO+
zj$K$XZGqcInH8Z&v+hOJwh6oyf9G#0^Y(1<_HLGQE<$YY`yNed**4>;*jB4-@k^x{
zb(eLV&noNeTyryT?U5cKhE;qF=e-VZ+F`cI%#Y#uhxd`wqkhls<nb^|@45CdcXgT6
zq-{&BXFl0AbLqrx<2jS6FRxvw=6Zg;$&JP`uI@?MMYr8%ntb1TLXnR{c5{@Ur?TuR
zA<apFclbQMt<YPia_8o$Wku}q=hpa@Ii0ddzWy?@MN;*crzqDov$n1$y@oFL>OQ^<
z+j7>=JGy0R;Z8p{w``-Q+wEn=8-3grE_ZF(Is22Xp1tVLk1IZTGxr`=S~xl8Qex8i
zWeje02@YqA@5wb)ro<jy)X~J#T71k_+wHyo?`(yglLg%jR!SVJJ-?T)&~4SKr&kVM
zD`mNoH#28J#v=7rnaKg`+G|enPwx4qw(GREbao6!68HNnSI*o_KAQA8+G8=h@}#YQ
zuiQ3_>rLc3x_~v6{S0&SyX?lxi^RiMh)>|RSns^MV(o)XZSEmKkKfDGUi4eNbLpC!
z$9|kTn{-8Xk%D$Z#n<;SUkvQbj`f_WVBoo)yy_<R?qk!+tgSV^Ea_C*9=qY#3foqv
zl?(ZzBA(~&F}68kdYB{p^2)W{zH*07vnG9(sTcknE-^oD%QXv&*Pd4<D?Oh1<8h<s
zjq1x0O$ByS*8QkY6<Nc4%_q-xR}h=Tvjyo#lJ8u}HRIEa;92RNv1{!U0RcnJTXzfg
zt~&c}ZSl(5x#_v5g(mqKUhC4%EH~YI+hogG*Zka?_WumA0<T|f*?IEIqOOB4wFT{-
zY+U#3SFnmjf#F$^&_x`cKaW56$+QczeC;a2a8l;a;!BIv)lC9D`2XJo6`g~r{Pku?
zVP;fBl)usp3{0Sc3Q|OYNETKGCT2E9_Wws1jG$#ND-#PFr~+pI6;TW<f<lUhtd4BL
zN`Z-mjml0F7mBEEJb3Ygk#W%fBMg#|f)8X86oboa*8fKs6a^WWK!6!sL4#!(nFN^?
zg$#`xS%j6G{-YExE+G=;>gwNCMV`u?<54{Ew#C^3)heq`c7{3EvVX3V*LyB^;Ei^4
z*@d-=*58&r_W0bOGG)use#>>ui%M-Y+T0F2kk7iQTqu4c^>IC~bY_xio^;^(mq%4*
zuQ;nL%AS93$D?gglO1F2mvugIE?%=zMO4StzIo}F6OXTo?(sODJbA_Q_x>kO>Fs4)
z^<ux@p7v#TY`47Q5t`eckh$we{W7bc%LC)e^R(_utzBjlw<6SVV_%pDqsDTEE32$F
zTs(aG*`a&U#{%1q2sUY?tKNRJMLAmgQ~D((y$4)Y$xn|6-w2zYE+H(x{B`tAw#v}p
z$>$F&x~t6;CRtySqGWKSRpR7(zZ&@qlUGRQt>a&0JF)im{kJhU9-h2dvL;n@Vvm(~
z!@+YLHeJFi9ZntX=e<*XWn+v{@Hb9(C(nz`DRYnSwRu?^l`M4ZQ&yN%`J1e-P6sbD
z?cLXR@98B^5yShUnwL^zCdSK@dgxa*blnyAQCRK4_NM-5(b1D{W4RXvmmSiX9I{{@
z+t)2`A~!HvnyNohU$}NsNkz`n=+l*|I~W9ReK0L&mTmvt75n_CL|LOrWqabB2SF)S
zOQM^+&WK;Rsh(AQQS8~HUm9zdXLMM8`6m1Ay_4Y8c9|ciX5PC~@?zOG#t2S_{|qx_
z=FfVjKYiuF8F5#9cHCIcHm_pQsn7=BOzYd7QR4B1eVRGby_0%k=FGiPbE)jb^Q;+d
zk1F-lGE?${WoAvSVx4WhrDdbd_0@9a)|a_tb7m=(y(?R>@zs<Q;&yS5UkASPF$}w4
zdvWU1w8WR{DRClUh8xR&RbQBNb^2sYog*h(?IyZL#+?-DI(0Ncw&S+Q$C$u#zc;UG
zKC)ftz$zw5hJ)vy{aobU`EKo_7-zx6jb}wx&fQq^IN|y|i>Zkz*%96b2cGRXJ#+ah
zab0DmPnHi|vto8mIPH0ftN-x#b&VY^=hLjOto-{?Ibl@@&n&HT*Rr>B3r(JU@<!-V
ztuThy-Icn9JgY*l{AyhI&aZ=My~-<l(evVOmWUlKww``$ZNJ5ntFu2Wu(+}9(7d>b
zo*R4~T$^~pag~v>-TZ=s*FEpZu3kRRdbgvN?H2z+qo&1MDrL6+SX#8iPP1^Ewm*Mm
z|FhUTV#zzXeb>BM`*y>IW2@g)UpMpVi&DF}rX|}tWF=Q&*+*@Q>j&1YKOA;i_f7)u
z^s3jVzF53p_r>G=uEvBT*3Jk1GhBH5E1a>$$93wqqyqPi?}MA)iuNsG7Mfn`{x;}&
z*?~K}t5z2Y`5e>ETqo~hXuN%c$g9(bt_ulV_uHty;m*Z5S6t<8mE86gm5WK(@aOE#
zMcmVDKF6%Rv37#Y{!8nnd5qJhHH75v^%6;*FtOwm$GY1G4W8I6so~#Sn(|_G{K7kv
z>kW6*U33$F|8Ld<s}DW*&Mx2&PWhXq`L5^w3%={i?%YW~)zf&h@6fEMiZYG^*~^X0
zH{1yRyhLZlC6z7~PL`}L+gA7Fz@m*hE3J9Huatk5pQXw0*~01OvxT{a{j(0*TyHQ8
zYGrtqeB{$A&6AJzbwA8tG0QUCng2q2QSFiv{}V^`f->Iy*(tbmT5#*R2YhBrmK~B<
zqW603=hNZ#TI%X<OFx)Bezb>O*>d4c<AXcxMT7hb%+HGSxE1~i-+5W=&a7fdYk{t<
zYPAOz2&+%$4QgO{%kkoG*(XUxZRQEhcZ%$@sxQ}s+6a2AnfNl|+#H@vwe@yy_RKvI
zoLTW<=Pq{ku>1FRWu~^hW1YvukvPe=*IA`(#`+^16K`Cd-uqg}B=piu+t<py)pDAX
z47(>c&#(ICX2G<v%le;!sHe)AsWW?KJni*jWB*urK7NP#B)7W5^0ylL|84)pwfUvU
zzuslHBo5rj_xWS;ChRHamsWOpQ_YHvHzJ>H=`YYKR1k81(8bdq9qN<vpJDpzkfPEq
Vo}-R`q88qLEwSQ#P-Fl9n*gbW*X{rS

literal 0
HcmV?d00001

diff --git a/api/tests/common/test_serializers.py b/api/tests/common/test_serializers.py
index bf04e8d2a..6d20443af 100644
--- a/api/tests/common/test_serializers.py
+++ b/api/tests/common/test_serializers.py
@@ -1,3 +1,8 @@
+import os
+import PIL
+
+from django.core.files.uploadedfile import SimpleUploadedFile
+
 import django_filters
 
 from funkwhale_api.common import serializers
@@ -163,3 +168,17 @@ def test_track_fields_for_update(mocker):
         {"field1": "value1", "field2": "value2"},
         {"field1": "newvalue1", "field2": "newvalue2"},
     )
+
+
+def test_strip_exif_field():
+    source_path = os.path.join(os.path.dirname(__file__), "exif.jpg")
+    source = PIL.Image.open(source_path)
+
+    assert bool(source._getexif())
+
+    with open(source_path, "rb") as f:
+        uploaded = SimpleUploadedFile("source.jpg", f.read(), content_type="image/jpeg")
+    field = serializers.StripExifImageField()
+
+    cleaned = PIL.Image.open(field.to_internal_value(uploaded))
+    assert cleaned._getexif() is None
diff --git a/changes/changelog.d/374.enhancement b/changes/changelog.d/374.enhancement
new file mode 100644
index 000000000..71d3e911f
--- /dev/null
+++ b/changes/changelog.d/374.enhancement
@@ -0,0 +1 @@
+Strip EXIF metadata from uploaded avatars to avoid leaking private data (#374)