I could use some extra eyes on some Masto code that is striking me as a security concern.
Look at https://www.dropbox.com/s/i0h8yg4z2oril0u/wtf.txt?dl=0 which is a log snippet
From what I can see, every time masto gets a file, incl profile images and headers from federated instances, it shells out to imagemagick to resize and convert it.
Part of that is here https://github.com/tootsuite/mastodon/blob/master/lib/paperclip/gif_transcoder.rb
Given https://imagetragick.com this seems ... bad