[Bug]: Some SVG files uploaded as logo make the server so slow it's unusable. #41380
Description
⚠️ This issue respects the following points: ⚠️
- This is a bug, not a question or a configuration/webserver/proxy issue.
- This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
- Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
- I agree to follow Nextcloud's Code of Conduct.
Bug description
TLDR : Some svg files uploaded in theme page make nextcloud spawn deadloop threads. There must be a check on image file upload confirming that it could be processed properly.
Symptoms : many php8.1-fpm thread that runs 100% cpu for very long time. All the server become sluggish for while, users complain.
After many hours of investigation, different tries over many days. Install of different PHP version, settings, file by file comparaison of two servers (one with the bug, the other is ok), activating apps one by one, and many other things. I found the error.
Each page load in admin console spawns a new buggy thread.
The thread top one core at 100% until php fpm max execution time.
This was the url that spawns the buggy thread : index.php/apps/theming/icon/settings?v=34
The thread has a handle on a tmp file :
#lsof -p #PID# | grep tmp
/tmp/magick-15561EyX140DZCYQ2
There were zilion of those files, all the same content. It's an svg file.
It was the logo in theming page.
The file is 
Also, this error was preventing the test mail from being sent...
It appears on PHP8.1 PHP8.2, debian, apache...
Steps to reproduce
- upload the file as a theme logo
- refresh admin console
- watch the php-fpm thread go to 100% CPU for one hour :)
- refresh again to spawn other buggy threads and watch your server crawl
Expected behavior
Rejecting files that could not be properly processed.
Even if this bug is in imagemagick nextcloud must be sure to work fine anyways.
Installation method
Community Web installer on a VPS or web space
Nextcloud Server version
26
Operating system
Debian/Ubuntu
PHP engine version
PHP 8.2
Web server
Apache (supported)
Database engine version
MariaDB
Is this bug present after an update or on a fresh install?
Fresh Nextcloud Server install
Are you using the Nextcloud Server Encryption module?
None
What user-backends are you using?
- Default user-backend (database)
- LDAP/ Active Directory
- SSO - SAML
- Other
Configuration report
not relevantList of activated Apps
not relevantNextcloud Signing status
not relevantNextcloud Logs
not relevantAdditional info
I love you all :)