New in Postmill: image metadata stripping

Postmill can now rewrite JPEG and PNG images to remove potentially sensitive metadata embedded within, such as GPS coordinates.

Photos you take and images you edit may contain metadata that reveals more about you than you’d like. For instance, image editing software could add the entire path to the image to its metadata, e.g. C:\Users\Linda\Pictures\image.png, revealing your name when you go to upload the image. Cameras may add country codes or even GPS coordinates without your knowledge. Images can even contain miniature versions of themselves that reveal information you thought you had redacted.

To protect against accidentally sharing this kind of information, Postmill now parses uploaded images and strips chunks of data likely to contain it. JPEG images are supported since 97cadbcee7, and PNG images since 5239f5cfea. The exact details of how metadata stripping works, as well as an example of the kinds of metadata that may be removed, can be found on the Postmill wiki at Codeberg.

Because image files are parsed when rewritten to exclude the metadata, this also protects against aCropalypse-esque situations, where a cropped image contains remnants of the original image thought to be removed.

Attributes deemed important for rendering an image properly are not removed. This means that ICC profiles and Exif orientation tags are kept.

Metadata stripping is enabled by default, and does not require any additional programs or PHP extensions to be installed. Operators can disable metadata stripping entirely by setting ENABLE_IMAGE_METADATA_STRIPPING=0.