From cddf3589f76f02f0d502b7bf9a9277bb83546d01 Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 7 Mar 2018 23:50:03 +0100
Subject: [PATCH] gitlab-ci: make sure EXIF is stripped from all included
 images

EXIF state can be used as an exploit vector and for malicioius code
delivery.  Neither fdroidclient nor fdroid-website use the EXIF data, so
just strip it entirely.  'exiftool' is available in most distros.
---
 .gitlab-ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index d29c59d41c..0f53fc1889 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -31,4 +31,10 @@ lint:
           fdroid rewritemeta $CHANGED;
           git --no-pager diff --color=always;
       }
+    - apt-get -qy update
+    - apt-get -qy install --no-install-recommends exiftool
+    - exiftool -all= `find metadata/ -name '*.jp*g' -o -name '*.png'`
+    - echo "these images have EXIF that must be stripped:"
+    - git --no-pager diff --stat
+    - git --no-pager diff --name-only --exit-code || export EXITVALUE=1
     - exit $EXITVALUE