Just wanted to give everyone a heads up. As you may have heard there is a nasty CVE related to the ImageMagick library that allows for remote code execution. Moved. CLICK HERE - Ryan Huber - Medium
Discourse uses this library, protecting yourself is pretty simple. We are using v1.5.1 stable (so the file locations may be different depending on your version).
SSH into your discourse server and go to where your discourse installation is
./launcher enter app
Edit the policy.xml file vim /usr/local/etc/ImageMagick-6/policy.xml
You should now be protected. It usually takes a bit of time to get patches done upstream so this is the best thing that you can do to protected your self hosted discourse site.
AFAIK this container is blown away and recreated each time you upgrade, so be sure to do this each time you upgrade until there is an upstream patch.
Yes, thanks! I saw this a bit earlier and already brought it to the attention of @zogstrip
The more useful check is to verify that images are images by checking initial bytes, and I believe we already do this?
Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing. (see FAQ for more info)