ImageTragick - how to mitigate ImageMagick as a library?

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
Post Reply
haluptzok
Posts: 1
Joined: 2016-05-25T08:23:01-07:00
Authentication code: 1151

ImageTragick - how to mitigate ImageMagick as a library?

Post by haluptzok » 2016-05-25T09:00:00-07:00

How can I get policy.xml to load when using ImageMagick directly as a library?

Is there a code sample of bullet proof usage of ImageMagick library?

I'm doing this - is it safe? Can I do better? I want to handle all images that aren't RCE vulnerable? Like get policy.xml to load?

Code: Select all

if ((imageData.size() < 8) || // enough characters to see signature?
  (strncmp(imageData.c_str(), "GIF87a", 6) && // GIF ?
   strncmp(imageData.c_str(), "GIF89a", 6) && // GIF ?
   strncmp(imageData.c_str(),
   "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A", 8) && // PNG ?
   strncmp(imageData.c_str(), "\xFF\xD8", 2)))  // JPG ?
{
  LOG(INFO) << "imageMagickDecode failed - unsafe image type";
  return false;
}

int fileSize = imageData.size();
Blob blob((const char *)imageData.c_str(), fileSize);
Image image;
image.read(blob);
Pixels pixels(image);
Do stuff.

snibgo
Posts: 12152
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: ImageTragick - how to mitigate ImageMagick as a library?

Post by snibgo » 2016-05-25T14:34:17-07:00

haluptzok wrote:How can I get policy.xml to load when using ImageMagick directly as a library?
It happens by magick. Well, I suppose it happens during MagickCoreGenesis() or similar.

You should try it for yourself. Edit policy.xml to prohibit some action, like reading *.tiff, then see if your programs can perform that action.
snibgo's IM pages: im.snibgo.com

Post Reply