fix(security): Force Imagick to only accept HEIC/HEIF images

Signed-off-by: Fabian Zwemke <[email protected]>

Author: fabianzw

lib/private/Preview/HEIC.php

@@ -65,6 +65,9 @@ public function getThumbnail(File $file, int $maxX, int $maxY): ?IImage {
 					'app' => 'core',
 				]
 			);
+			if (defined('PHPUNIT_COMPOSER_INSTALL') || defined('__PHPUNIT_PHAR__')) {
+				throw $e;
+			}
 			return null;
 		}
 
@@ -96,16 +99,15 @@ public function getThumbnail(File $file, int $maxX, int $maxY): ?IImage {
 	private function getResizedPreview($tmpPath, $maxX, $maxY) {
 		$bp = new \Imagick();
 
-		// Some HEIC files just contain (or at least are identified as) other formats
-		// like JPEG. We just need to check if the image is safe to process.
-		$bp->pingImage($tmpPath . '[0]');
+		// Force Imagick to only accept HEIC or HEIF images
+		$bp->pingImage('heic:' . $tmpPath . '[0]');
 		$mimeType = $bp->getImageMimeType();
-		if (!preg_match('/^image\/(x-)?(png|jpeg|gif|bmp|tiff|webp|hei(f|c)|avif)$/', $mimeType)) {
+		if (!preg_match('/^image\/(x-)?hei(f|c)$/', $mimeType)) {
 			throw new \Exception('File mime type does not match the preview provider: ' . $mimeType);
 		}
 
 		// Layer 0 contains either the bitmap or a flat representation of all vector layers
-		$bp->readImage($tmpPath . '[0]');
+		$bp->readImage('heic:' . $tmpPath . '[0]');
 
 		// Fix orientation from EXIF
 		$bp->autoOrient();

tests/data/testimage-disguised-svg.heic

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   style="overflow: hidden; position: relative;"
+   width="500"
+   height="500">
+    <image x="0" y="0" width="500" height="500" xlink:href="/var/www/html/secret.png" stroke-width="1" id="image3204" />
+</svg>

tests/lib/Preview/HEICDisguisedSVGTest.php

@@ -0,0 +1,51 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace Test\Preview;
+
+use OC\Preview\HEIC;
+
+/**
+ * Class HEICDisguisedSVGTest
+ *
+ *
+ * @package Test\Preview
+ */
+#[\PHPUnit\Framework\Attributes\Group('DB')]
+class HEICDisguisedSVGTest extends Provider {
+	protected function setUp(): void {
+		if (!in_array('HEIC', \Imagick::queryFormats('HEI*'))) {
+			$this->markTestSkipped('ImageMagick is not HEIC aware. Skipping tests');
+		} else {
+			parent::setUp();
+
+			$fileName = 'testimage-disguised-svg.heic';
+			$this->imgPath = $this->prepareTestFile($fileName, \OC::$SERVERROOT . '/tests/data/' . $fileName);
+			$this->width = 1680;
+			$this->height = 1050;
+			$this->provider = new HEIC;
+		}
+	}
+
+	/**
+	 * Launches all the tests we have
+	 *
+	 *
+	 * @param int $widthAdjustment
+	 * @param int $heightAdjustment
+	 */
+	#[\PHPUnit\Framework\Attributes\DataProvider('dimensionsDataProvider')]
+	#[\PHPUnit\Framework\Attributes\RequiresPhpExtension('imagick')]
+	public function testGetThumbnail($widthAdjustment, $heightAdjustment): void {
+		try {
+			parent::testGetThumbnail($widthAdjustment, $heightAdjustment);
+			$this->fail('Expected ImagickException was not thrown.');
+		} catch (\ImagickException $e) {
+			$this->assertStringStartsWith('ImageTypeNotSupported', $e->getMessage());
+		}
+	}
+}