{{Header}}
{{title|title=
Thumbnails
}}
{{#seo:
|description=Thumbnails in {{project_name_short}}.
}}
{{intro|
Thumbnails are small preview images shown for files (for example, photos, PDFs, or videos) in the file manager. In {{project_name_short}}, thumbnails are disabled by default in its default [[Software#File_Manager|file manager]] to reduce the risk from malicious files.
}}
= Introduction =

[https://en.wikipedia.org/wiki/Thumbnail Thumbnail] is a small preview image of a file (such as a picture, video, or document). Thumbnails make it easier to recognize and organize files in a folder.

= Security Implication =

To show thumbnails, the system must open and ''decode'' (parse) each file to create a preview. If a file is malicious or specially crafted, it can sometimes exploit bugs in the thumbnailing software or related libraries. In the worst case, this can lead to the attacker running code on your system (remote code execution), for example by chaining multiple steps such as: exploit decoder → gain user privileges → exploit local privilege escalation/sandbox escape. <ref>
Examples: 
* [https://imagetragick.com/ ImageTragick] 
* [https://talosintelligence.com/vulnerability_reports/TALOS-2017-0321 Poppler PDF library]
* [https://csorianognome.wordpress.com/2017/07/20/clarification-on-a-security-flaw-on-a-thumbnailer/ gnome-exe-thumbnailer/Bad Taste] 
</ref>

== Mitigation ==

To mitigate these types of attack, the thumbnail feature is disabled by default in {{project_name_short}} in its default [[Software#File_Manager|file manager]].

Thumbnails are not the only feature that processes files automatically. [[File_indexing|File indexing]] services (used for search), such as [https://tracker.gnome.org/overview/ Tracker-Miner], can also parse files in the background and may be vulnerable in similar ways. For reference, see [[Dev/GNOME#1-Click_RCE_on_GNOME_(CVE-2023-43641)_in_file_indexing_service|1-Click RCE on GNOME (CVE-2023-43641) in file indexing service]]. At the time of writing there is no file indexing service by default in {{project_name_short}}.

See also [[Computer_Security_Introduction#Untrusted_Input_and_Attack_Surface|Untrusted Input and Attack Surface]].

== Catfish ==
[https://packages.debian.org/{{Stable project version based on Debian codename}}/catfish catfish] (file searching tool) is installed by default in {{project_name_short}}.

There does not appear to be a way to configure Catfish to disable thumbnails regardless of the view mode you choose in the hamburger menu. The "large" view is the thumbnail view, and according to the code, selecting the "large" view will enable thumbnails immediately and keep them enabled by default for subsequent starts of Catfish, until you set it back to "compact list" view.

"Compact list" view appears to be the default view, and thumbnail generation seems to be disabled in this view, so explicitly disabling thumbnails may not be necessary.

Forum discussion: [https://forums.whonix.org/t/install-catfish-file-searching-tool-xfce-de-by-default/19837 Install Catfish file searching tool (Xfce DE) by default]

= Enable Thumbnails Again =

If you want to enable thumbnails again, follow these steps:

* Click on File Manager → Edit → Preferences

[[File:Thumbnail1.png|500px]]

* Click on Thumbnail → Tick Show thumbnails of files

[[File:Thumbnail2.png|800px]]

Forum discussion: [https://forums.whonix.org/t/thumbnails-not-working-in-new-whonix-lxqt/22834 Thumbnails not working in new whonix lxqt]

= Footnotes =
<references />
[[Category:Documentation]]
{{Footer}}