Exif metadata not consistently stripped
Hi
When uploading an image in the comment of an issue or MR all Exif-data seems to be nicely stripped to avoid any information about the author leaking.
But when I use MacOS' clipboard function to copy my screen, and then paste it in a comment, this Exif-data seems not to be removed and it leaks I am using an Apple device.
Not the biggest issue, but maybe something to consider to stay consistent in providing the best privacy as possible for users of this Git instance - especially with people in mind who might be asking for support while being in a sensitive situation.
I have not tested this for Windows' snippet tool or Linux alternatives.
Worst case scenario: Person asks for support on how to use Tor to remain anonymous in this Git instance -> Uses clipboard tool to copy/paste picture of e.g an error -> Adversary uses information leaking through Exif-data to gain knowledge about what system that person is using -> Adversary uses that info to contact the user with an answer/support leading to an payload/exploit explicitly for that system.
Steps to reproduce:
- Use Apple's Screenshot Tool to capture an image and buffer it in the clipboard.
- Cmd + v it as comment in this issue.
- Use exifmeta.com to view used device (or download it and use
exiftool).
Example:
Exifmeta.com shows "Apple Computer Inc."