CVE-2016–3718 SSRF

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
Post Reply
eriksson
Posts: 3
Joined: 2016-05-09T07:43:51-07:00
Authentication code: 1151

CVE-2016–3718 SSRF

Post by eriksson » 2016-05-09T07:51:15-07:00

Are there any workarounds available for preventing ImageMagick from fetching http/https resources embedded into svg images?

Code: Select all

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="640px" height="480px" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.org/1999/xlink">
<image xlink:href="https://example.com/image.jpg" x="0" y="0" height="640px" width="480px"/>
</svg>
Changing the policy.xml does not seem to prevent this behaviour.

User avatar
magick
Site Admin
Posts: 10998
Joined: 2003-05-31T11:32:55-07:00

Re: CVE-2016–3718 SSRF

Post by magick » 2016-05-09T11:35:33-07:00

ImageMagick has an internal SVG renderer which is blocked per https://www.imagemagick.org/discourse-s ... =4&t=29588. Specifically the MVG coder. It also has other renderers depending on your environment. It might utilize RSVG or inkscape. These delegate libraries or programs likely are fetching your https URI's. You may need to contact the developers for these projects for additional help. You can of course configure policy.xml to deny the right to use SVG.

eriksson
Posts: 3
Joined: 2016-05-09T07:43:51-07:00
Authentication code: 1151

Re: CVE-2016–3718 SSRF

Post by eriksson » 2016-05-09T11:54:40-07:00

Thanks, I am running ImageMagick in a Windows environment so I guess it is using rsvg by default.

I'll investigate this further.

Post Reply