Hey Phil, hey gents,
You have probably heard of the new ImageMagick exploit: https://imagetragick.com/
In our app we run all file paths through exiftool to have their mime type identified. If the mime type is a valid image mime type, only then do we pass it to ImageMagick.
My question is: How does exiftool identify the mime type for an image file? Does it use the magic bytes test (one of the two advertised workarounds to the exploit)? If so, then we would have implemented one of the two workarounds already simply by using exiftool. Or does exiftool look primarily on the file extension to derive the mime type from it?
If the magic bytes test is used, would exiftool return application/octetstream for images that contain malicious code and/or that do not pass the magic bytes test?
Thank you in advance!
ExifTool parses the start of the file to determine the file type. For most types this is just a magic number test as you mentioned, but for some types without a magic number some processing is required. Exiftool uses the extension only as a clue to the particular variety of file when there are multiple file types with the same format (eg. ASF/WMV/WMA/DIVX or DOC/PPT/XLA).
If the file is not recognized, then no MIMEType is returned and ExifTool gives an "Unknown file type" error.
- Phil
Thank you for the speedy reply. Mucho appreciated. :)