From d524138546e2c894f2afb90994e456ac9e4d4d85 Mon Sep 17 00:00:00 2001 From: t3tra-dev Date: Sat, 16 Aug 2025 16:36:56 +0900 Subject: [PATCH 1/2] feat: add version verification for ExifTool to ensure security compliance --- .../src/markitdown/converters/_exiftool.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/packages/markitdown/src/markitdown/converters/_exiftool.py b/packages/markitdown/src/markitdown/converters/_exiftool.py index 1af155f28..6b3c1a8d2 100644 --- a/packages/markitdown/src/markitdown/converters/_exiftool.py +++ b/packages/markitdown/src/markitdown/converters/_exiftool.py @@ -13,6 +13,23 @@ def exiftool_metadata( if not exiftool_path: return {} + # Verify exiftool version + try: + version_output = subprocess.run( + [exiftool_path, "-ver"], + capture_output=True, + text=True, + check=True, + ).stdout.strip() + version = float(version_output) + if version < 12.24: + raise RuntimeError( + f"ExifTool version {version} is vulnerable to CVE-2021-22204. " + "Please upgrade to version 12.24 or later." + ) + except (subprocess.CalledProcessError, ValueError) as e: + raise RuntimeError("Failed to verify ExifTool version.") from e + # Run exiftool cur_pos = file_stream.tell() try: From 8ed3c34745c5bcca0ccde69471e8b10b7d2f1fcd Mon Sep 17 00:00:00 2001 From: t3tra-dev Date: Sat, 16 Aug 2025 17:01:44 +0900 Subject: [PATCH 2/2] fix: improve ExifTool version verification --- .../src/markitdown/converters/_exiftool.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/packages/markitdown/src/markitdown/converters/_exiftool.py b/packages/markitdown/src/markitdown/converters/_exiftool.py index 6b3c1a8d2..f605024fd 100644 --- a/packages/markitdown/src/markitdown/converters/_exiftool.py +++ b/packages/markitdown/src/markitdown/converters/_exiftool.py @@ -1,7 +1,11 @@ import json -import subprocess import locale -from typing import BinaryIO, Any, Union +import subprocess +from typing import Any, BinaryIO, Union + + +def _parse_version(version: str) -> tuple: + return tuple(map(int, (version.split(".")))) def exiftool_metadata( @@ -21,10 +25,11 @@ def exiftool_metadata( text=True, check=True, ).stdout.strip() - version = float(version_output) - if version < 12.24: + version = _parse_version(version_output) + min_version = (12, 24) + if version < min_version: raise RuntimeError( - f"ExifTool version {version} is vulnerable to CVE-2021-22204. " + f"ExifTool version {version_output} is vulnerable to CVE-2021-22204. " "Please upgrade to version 12.24 or later." ) except (subprocess.CalledProcessError, ValueError) as e: