mat2 issueshttps://0xacab.org/jvoisin/mat2/-/issues2018-11-10T12:54:09Zhttps://0xacab.org/jvoisin/mat2/-/issues/86Potential harmful printing of binary Exif metadata in terminal2018-11-10T12:54:09ZSherry TaylorPotential harmful printing of binary Exif metadata in terminal## Description
Mat2 prints binary values of Exif metadata fields on the terminal (`mat2 --show`).
Depending on the used terminal emulator, this can mess up the terminal settings or execute code. (Reference: https://security.stackexchan...## Description
Mat2 prints binary values of Exif metadata fields on the terminal (`mat2 --show`).
Depending on the used terminal emulator, this can mess up the terminal settings or execute code. (Reference: https://security.stackexchange.com/questions/56307/can-cat-ing-a-file-be-a-potential-security-risk).
### Exploit (Code Execution):
Here is an example JPG file with binary data in the comment field:
![Binary_data_in_Exif_Comment](/uploads/2fa4fe3b3e0d1af115856c29ee0141dc/Binary_data_in_Exif_Comment.jpg)
In rxvt-unicode (urxvt) v9.22 showing the metadata of that file with `mat2 --show` results in the following:
```bash
[user:/tmp] % mat2 --show Binary_data_in_Exif_Comment.jpg
[+] Metadata for Binary_data_in_Exif_Comment.jpg:
Comment:
^[G0
[user:/tmp] % 0
bash: command not found: 0
```
In this case, the binary `0` does not exist in the system, however, it would have been executed without any user interaction if it had existed.
## Suggested Fix
Filter or replace all non-printable characters of metadata before printing.
## System information
- MAT2 0.4.0
- perl-image-exiftool 11.110.6.0 - Slothjvoisinjvoisinhttps://0xacab.org/jvoisin/mat2/-/issues/84Implement lightweight cleaning for images2018-11-10T12:38:25ZjvoisinImplement lightweight cleaning for imagesCurrently, images are re-renderer, it would be nice to implement a lightweight cleaning mode that doesn't alter their quality.Currently, images are re-renderer, it would be nice to implement a lightweight cleaning mode that doesn't alter their quality.0.6.0 - Slothhttps://0xacab.org/jvoisin/mat2/-/issues/73Display metadata from files embedded in office documents2018-11-10T12:38:25ZjvoisinDisplay metadata from files embedded in office documentsCurrently, mat2 isn't displaying the metadata from embedded files in office documents. Currently, it's only showing the metadata of the archive, handled in a flat dict.
I think that we might use a nested dict structure to handle this:
...Currently, mat2 isn't displaying the metadata from embedded files in office documents. Currently, it's only showing the metadata of the archive, handled in a flat dict.
I think that we might use a nested dict structure to handle this:
```json
{'my_file.docx':
'author': 'jvoisin',
'my_picture.png': {
'producer': 'the GIMP'
},
'creation_date': 'yesterday'
}
```
Or a flat dict, with prefixes:
```json
{'author': 'jvoisin',
'(my_picture) producer': 'the GIMP',
'creation_date': 'yesterday'
}
```
But I'm open to other suggestions :)0.6.0 - Slothjvoisinjvoisin