From 03d270a56b751bc53b83381d9fef21da8d4cbb91 Mon Sep 17 00:00:00 2001
From: Stefano Marinelli
Date: Tue, 6 Jan 2026 12:18:00 +0100
Subject: Implement metadata stripping for uploaded videos

- Extend `strip_media` to support video files using `ffmpeg`.
- Use `ffmpeg -map_metadata -1 -c copy` to strip global metadata.
- Support formats: mp4, m4v, mov, webm, mkv, avi.
- Add `ffmpeg_path` configuration option.
- Implement robust relative path handling (`user/` heuristic) to support jailed environments.
- Enforce strict checks on startup: fail if tools (mogrify/ffmpeg) are missing when enabled.
---
 doc/snac.8 |  10 ++++--
 snac.c     | 112 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 106 insertions(+), 16 deletions(-)

diff --git a/doc/snac.8 b/doc/snac.8
index 8283ac6..c53bb59 100644
--- a/doc/snac.8
+++ b/doc/snac.8
@@ -297,13 +297,17 @@ failed instance is detected, this counter is reset for it.
 .It Ic vkey
 Public vapid key. Used for notification on some client.
 .It Ic strip_exif
-If set to true, EXIF metadata will be stripped from uploaded images (jpg, png, webp, heic, avif, tiff, gif, bmp). This requires the
+If set to true, EXIF and other metadata will be stripped from uploaded images (jpg, png, webp, heic, avif, tiff, gif, bmp) and videos (mp4, m4v, mov, webm, mkv, avi). This requires the
 .Nm mogrify
-tool to be installed. If
+(from ImageMagick) and
+.Nm ffmpeg
+tools to be installed. If
 .Nm snac
-cannot find or execute the tool at startup, it will refuse to run.
+cannot find or execute these tools at startup, it will refuse to run.
 .It Ic mogrify_path
 Overrides the default "mogrify" command name or path. Use this if the tool is not in the system PATH or has a different name.
+.It Ic ffmpeg_path
+Overrides the default "ffmpeg" command name or path. Use this if the tool is not in the system PATH or has a different name.
 .El
 .Pp
 You must restart the server to make effective these changes.
diff --git a/snac.c b/snac.c
index f4528cd..a3ba6b7 100644
--- a/snac.c
+++ b/snac.c
@@ -33,6 +33,8 @@
 #include <sys/time.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
+#include <limits.h>
+#include <stdlib.h>
 
 xs_str *srv_basedir = NULL;
 xs_dict *srv_config = NULL;
@@ -177,12 +179,25 @@ int strip_media(const char *fn)
 /* strips EXIF data from a file */
 {
     int ret = 0;
+
     const xs_val *v = xs_dict_get(srv_config, "strip_exif");
 
     if (xs_type(v) == XSTYPE_TRUE) {
-        xs *l_fn = xs_tolower_i(xs_dup(fn));
+        /* Heuristic: find 'user/' in the path to make it relative */
+        /* This works for ~/user/..., /var/snac/user/..., etc. */
+        const char *r_fn = strstr(fn, "user/");
+        
+        if (r_fn == NULL) {
+            /* Fallback: try to strip ~/ if present */
+            if (strncmp(fn, "~/", 2) == 0)
+                r_fn = fn + 2;
+            else
+                r_fn = fn;
+        }
 
-        /* check extensions */
+        xs *l_fn = xs_tolower_i(xs_dup(r_fn));
+
+        /* check image extensions */
         if (xs_endswith(l_fn, ".jpg") || xs_endswith(l_fn, ".jpeg") ||
             xs_endswith(l_fn, ".png") || xs_endswith(l_fn, ".webp") ||
             xs_endswith(l_fn, ".heic") || xs_endswith(l_fn, ".heif") ||
@@ -193,7 +208,7 @@ int strip_media(const char *fn)
             if (mp == NULL)
                 mp = "mogrify";
 
-            xs *cmd = xs_fmt("%s -strip \"%s\" 2>/dev/null", mp, fn);
+            xs *cmd = xs_fmt("cd \"%s\" && %s -auto-orient -strip \"%s\" 2>/dev/null", srv_basedir, mp, r_fn);
 
             ret = system(cmd);
 
@@ -203,12 +218,64 @@ int strip_media(const char *fn)
                     code = WEXITSTATUS(ret);
                 
                 if (code == 127)
-                    srv_log(xs_fmt("strip_media: error stripping %s. '%s' not found (exit 127). Set 'mogrify_path' in server.json.", fn, mp));
+                    srv_log(xs_fmt("strip_media: error stripping %s. '%s' not found (exit 127). Set 'mogrify_path' in server.json.", r_fn, mp));
                 else
-                    srv_log(xs_fmt("strip_media: error stripping %s %d", fn, ret));
+                    srv_log(xs_fmt("strip_media: error stripping %s %d", r_fn, ret));
             }
             else
-                srv_debug(1, xs_fmt("strip_media: stripped %s", fn));
+                srv_debug(1, xs_fmt("strip_media: stripped %s", r_fn));
+        }
+        else
+        /* check video extensions */
+        if (xs_endswith(l_fn, ".mp4") || xs_endswith(l_fn, ".m4v") ||
+            xs_endswith(l_fn, ".mov") || xs_endswith(l_fn, ".webm") ||
+            xs_endswith(l_fn, ".mkv") || xs_endswith(l_fn, ".avi")) {
+
+            const char *fp = xs_dict_get(srv_config, "ffmpeg_path");
+            if (fp == NULL)
+                fp = "ffmpeg";
+
+            /* ffmpeg cannot modify in-place, so we need a temp file */
+            /* we must preserve valid extension for ffmpeg to guess the format */
+            const char *ext = strrchr(r_fn, '.');
+            if (ext == NULL) ext = "";
+            xs *tmp_fn = xs_fmt("%s.tmp%s", r_fn, ext);
+            
+            /* -map_metadata -1 strips all global metadata */
+            /* -c copy copies input streams without re-encoding */
+            /* we don't silence stderr so we can debug issues */
+            /* we explicitly cd to srv_basedir to ensure relative paths work */
+            xs *cmd = xs_fmt("cd \"%s\" && %s -y -i \"%s\" -map_metadata -1 -c copy \"%s\"", srv_basedir, fp, r_fn, tmp_fn);
+
+            ret = system(cmd);
+
+            if (ret != 0) {
+                int code = 0;
+                if (WIFEXITED(ret))
+                    code = WEXITSTATUS(ret);
+                
+                if (code == 127)
+                    srv_log(xs_fmt("strip_media: error stripping %s. '%s' not found (exit 127). Set 'ffmpeg_path' in server.json.", r_fn, fp));
+                else {
+                    srv_log(xs_fmt("strip_media: error stripping %s %d", r_fn, ret));
+                    srv_log(xs_fmt("strip_media: command was: %s", cmd));
+                }
+                
+                /* try to cleanup, just in case */
+                /* unlink needs full path too if we are not in basedir */
+                xs *full_tmp_fn = xs_fmt("%s/%s", srv_basedir, tmp_fn);
+                unlink(full_tmp_fn);
+            }
+            else {
+                /* rename tmp file to original */
+                /* use full path for source because it was created relative to basedir */
+                xs *full_tmp_fn = xs_fmt("%s/%s", srv_basedir, tmp_fn);
+                
+                if (rename(full_tmp_fn, fn) == 0)
+                    srv_debug(1, xs_fmt("strip_media: stripped %s", fn));
+                else
+                    srv_log(xs_fmt("strip_media: error renaming %s to %s", full_tmp_fn, fn));
+            }
         }
     }
 
@@ -222,14 +289,33 @@ int check_strip_tool(void)
     int ret = 1;
 
     if (xs_type(v) == XSTYPE_TRUE) {
-        const char *mp = xs_dict_get(srv_config, "mogrify_path");
-        if (mp == NULL)
-            mp = "mogrify";
+        /* check mogrify */
+        {
+            const char *mp = xs_dict_get(srv_config, "mogrify_path");
+            if (mp == NULL)
+                mp = "mogrify";
 
-        xs *cmd = xs_fmt("%s -version 2>/dev/null >/dev/null", mp);
-        
-        if (system(cmd) != 0)
-            ret = 0;
+            xs *cmd = xs_fmt("%s -version 2>/dev/null >/dev/null", mp);
+            
+            if (system(cmd) != 0) {
+                srv_log(xs_fmt("check_strip_tool: '%s' not working", mp));
+                ret = 0;
+            }
+        }
+
+        /* check ffmpeg */
+        if (ret) {
+            const char *fp = xs_dict_get(srv_config, "ffmpeg_path");
+            if (fp == NULL)
+                fp = "ffmpeg";
+
+            xs *cmd = xs_fmt("%s -version 2>/dev/null >/dev/null", fp);
+            
+            if (system(cmd) != 0) {
+                srv_log(xs_fmt("check_strip_tool: '%s' not working", fp));
+                ret = 0;
+            }
+        }
     }
 
     return ret;
-- 
cgit v1.2.3