EXIF Geolocation Data Not Stripped From Uploaded Images

[Ram-shu]

Bug Description?

When a user uploads an Logo in "https://demo.opensourcepos.org/", the uploaded image’s EXIF Geolocation Data does not gets stripped. As a result, anyone can get sensitive information of "OSPOS" users like their Geolocation, their Device information like Device Name, Version, Software & Software version used etc.

Steps to Reproduce?

1. Go to [GitHub](https://github.com/ianare/exif-samples/tree/master/jpg).
   

2. There are a lot of images with various resolutions (e.g., 1280 x 720) and different file sizes.
   

3. Log in to the application and upload a photo as the Company Logo.
   

4. Find the path of the uploaded image (either by right-clicking on the image and selecting "Copy image address" or by right-clicking, inspecting the image, and finding the URL in the inspect element tool).
   

5. Open [Jimpl](https://jimpl.com/).
   

6.  Check if the EXIF data is still displayed.
   

Expected Behavior?

All the Exif Metadata should be stripped while uploading image into the server

OpensourcePOS Version

opensourcepos 3.3.9

Php version

Php 7.2

What browsers are you seeing the problem on?

Firefox, Chrome, Safari, Microsoft Edge, Other

Server Operating System and version

OS: Windows 10

Database Management System and version

Tested on the demo Website

Web Server and version

Tested on the demo Website

System Information Report (optional)

System Information Report

Unmodified copy of OpensourcePOS

• I agree this copy has not been modified

[Ram-shu]

[SteveIreland]

I'm betting that image manipulation is outside of the scope of OSPOS. Is there a reason that you wouldn't want this to be accomplished using more effective tools that are designed explicitly for this purpose?