Gorf
October 14, 2022, 7:46am
1
I do get the following warning:
Das PHP-Modul “imagick” ist nicht aktiviert, die Theming-App hingegen schon. Damit die Favicon-Generierung korrekt funktioniert, müssen Sie dieses Modul installieren und aktivieren.
Now I did find this here:
Disabling theming did the trick.
which I read to recommend, fixing it by runningsudo apt-get install imagemagick php-imagick
As a beginner I am somewhat scared to do this for fearing it might damage something in my installation.
Do you think it is safe to install imagick the way described above?
You can install it if you really want to, however, the reason it isn’t included by default is due to security concerns
opened 08:09PM - 16 Dec 18 UTC
closed 05:27PM - 19 Mar 22 UTC
enhancement
2. developing
security
technical debt
A few days ago it was [brought up to my attention](https://github.com/nextcloud/… vm/issues/743) that using Imagick could have very negative effects on security. The Nextcloud snap decided to not using it due to that fact, and I've now mitigated the same threat(s) as well by not using it in the Nextcloud VM.
[Here](https://github.com/nextcloud/nextcloud-snap/pull/629) are the discussion regarding the decision in the Nextcloud snap, and I think it totally makes sense not to use it in the Nextcloud Server as well.
The situation now though is that it's recomended and the setup checks will inform the user that the package is missing. As Nextcloud is advertising it's secure, then why use a package that is prune to a lot of CVEs in the past?
**Regarding alternatives** I think [this post](https://github.com/nextcloud/nextcloud-snap/pull/629#issuecomment-419894034) sums it up quite well.
Please consider removing the recommendation in future versions, and please also consider replacing the use of Imagick with something better and more secure.
It has a vulnerability that allows for remote code execution if you process user submitted images
1 Like
Gorf
October 23, 2022, 8:10am
3
Thanks for the info. Then for now I will not install it even though my user group is so small and reliable that this will not be an issue.
1 Like