Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[stable22] Disable HEIC image preview provider for performance concerns #28079

Merged
merged 1 commit into from
Jul 21, 2021
Merged

[stable22] Disable HEIC image preview provider for performance concerns #28079

merged 1 commit into from
Jul 21, 2021

Conversation

backportbot-nextcloud[bot]
Copy link

backport of #28077

@tobiasKaminsky @backportbot
Disable HEIC image preview provider for performance concerns
718cb09 
Signed-off-by: tobiasKaminsky <tobias@kaminsky.me>
@backportbot-nextcloud backportbot-nextcloud bot added this to the Nextcloud 22.0.1 milestone Jul 21, 2021
@LukasReschke LukasReschke merged commit 81e9495 into stable22 Jul 21, 2021
@LukasReschke LukasReschke deleted the backport/28077/stable22 branch July 21, 2021 10:30
@skjnldsv skjnldsv mentioned this pull request Jul 26, 2021
Merged
@skjnldsv skjnldsv mentioned this pull request Aug 3, 2021
Merged
@beardhatcode beardhatcode mentioned this pull request Nov 17, 2021
Merged
beardhatcode referenced this pull request in nextcloud/viewer Nov 17, 2021
@skjnldsv
Disable heic
b238271 
Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
beardhatcode pushed a commit to nextcloud/viewer that referenced this pull request Nov 19, 2021
@skjnldsv @beardhatcode
Disable heic
faddd88 
Because it was dissabled by default in the server
nextcloud/server#28079

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
@beardhatcode beardhatcode mentioned this pull request Nov 19, 2021
Merged
beardhatcode pushed a commit to nextcloud/viewer that referenced this pull request Nov 19, 2021
@skjnldsv @beardhatcode
Disable heic
7f3077a 
Because it was dissabled by default in the server
nextcloud/server#28079

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
beardhatcode pushed a commit to nextcloud/viewer that referenced this pull request Nov 19, 2021
@skjnldsv @beardhatcode
Disable heic
f7385de 
Because it was dissabled by default in the server
nextcloud/server#28079

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
beardhatcode pushed a commit to nextcloud/viewer that referenced this pull request Nov 19, 2021
@skjnldsv @beardhatcode
Disable heic
96c6a3b 
Because it was dissabled by default in the server
nextcloud/server#28079

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
beardhatcode pushed a commit to nextcloud/viewer that referenced this pull request Nov 19, 2021
@skjnldsv @beardhatcode
Disable heic
142161f 
Because it was dissabled by default in the server
nextcloud/server#28079

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
beardhatcode pushed a commit to nextcloud/viewer that referenced this pull request Nov 19, 2021
@skjnldsv @beardhatcode
Disable heic
369e2a6 
Because it was dissabled by default in the server
nextcloud/server#28079

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
@utack
Copy link

utack commented Jan 5, 2022
edited
Loading

What kind of problems was it causing?
Did some core functionality suffer from it, and is there a plan to re-enable it with lower priority?
Can it be enabled via some config tweaks?
Thank you

@hbalagtas
Copy link

I'm also interested if this can be enabled in the config, my installation is for our local household only and not available through the internet. So security aside I'd like for us to have this functionality.

@novami
Copy link

novami commented Nov 29, 2022

Enable it again, please!

@kesselb
Copy link
Contributor

kesselb commented Nov 29, 2022

Hi, please refer to our documentation how to enable preview provider. HEIC provider is still there but disabled by default for privacy reasons: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#previews

@novami
Copy link

novami commented Nov 29, 2022

Thanks for reply!

I'm interested now what does it mean specifically? Something regarding GDPR? So not only performance issue?

@whitephoenix117
Copy link

I would also like to know what the specific performance/ privacy concerns are; and if they apply to my use case

@novami
Copy link

novami commented Dec 8, 2022

I've installed plugin https://apps.nextcloud.com/apps/camerarawpreviews and I'm happy now.

@kesselb
Copy link
Contributor

kesselb commented Jan 10, 2023

https://hackerone.com/reports/1261413

@bcutter
Copy link

bcutter commented Mar 13, 2024

https://hackerone.com/reports/1261413

Interesting. While the technical information would still need to be translated to "normal" users/admins. So what is the worst that could happen and how likely is that? Does an attacker need access or is it "only" an issue for users able to upload content?

If I got this right the decision was to just disable HEIC image preview generation by default, which is a rather quick workaround. But what next to that?

@bcutter bcutter mentioned this pull request Mar 13, 2024
Closed
@fancywriter
Copy link

Hello! I would also like to see HEIC preview to work. Could it be possible to fix vulnerability instead of just disabling?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LukasReschke LukasReschke LukasReschke approved these changes

@juliushaertl juliushaertl Awaiting requested review from juliushaertl

@kesselb kesselb Awaiting requested review from kesselb

@tobiasKaminsky tobiasKaminsky Awaiting requested review from tobiasKaminsky

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Nextcloud 22.1.0
Development

Successfully merging this pull request may close these issues.
9 participants
@utack @hbalagtas @novami @kesselb @whitephoenix117 @bcutter @fancywriter @LukasReschke @tobiasKaminsky