bad error trapping could cause unexpected shell commands

[imaggie]

Hi,

through struggling with IM syntax I make frequent errors. Several of these has pointed out what looks like it could be an exploit.

Code: Select all

convert -size $((5*$wid))x$((5*$ht)) xc: -tile (-extract  50%x25%+25%+5% tile.png)\
 -draw "rectangle 0,0 $((5*$wid)),$((5*$ht))" \
 output-tile.png

It seems the parser is giving up and exiting before having even finished reading the input.

The net result is that the rest of the command line , that was intended for IM get read AND EXECUTED by the shell.

Code: Select all

 $  -draw "rectangle 0,0 $((5*$wid)),$((5*$ht))" \
>  output-tile.png
bash: -draw: command not found

Thus an incorrectly formatted IM command could cause the execution of arbitrary (of malicious) shell commands.

I would suggest the correct behaviour would be to read to the end of input before attempting to parse the command.

regards.

[fmw42]

I don't know if this is related to your problem, but geometry offsets (in your -extract) will not be interpreted as %, but as raw coordinates even if you specify the percent sign. This is not the case for width or height, only +X+Y. See http://www.imagemagick.org/script/comma ... p#geometry

Also you must have spaces between parens and your commands

(-extract 50%x25%+25%+5% tile.png)

should be

( -extract 50%x25%+25%+5% tile.png )

and if on unix, the parens need escapes as

\( -extract 50%x25%+25%+5% tile.png \)

[imaggie]

thanks very much for you help. The biggest problem I find with IM is that just about every command is an exception

The amount of possibilities of what one can do with IM is amazing, but so it the amount of work and reading required to get there.

I'm sure this is the result of years of bolt-on modifications. Evolution by change without any overall structure or design.

At some stage I think it will be necessary either redesign the command structure or add some translation layer with a properly structured and consistent syntax. I digress.

The point of this post was not my clumsy errors but the fact that any such error can produce the execution of basically arbitrary shell commands. At some point the bit that IM does not parse is going to be a valid shall command and something unexpected is going to happen...

[fmw42]

Anthony is redeveloping the command line now for IM 7. He can tell you more about what he is doing.

[imaggie]

that's great news.

IM is really powerful but it's usefulness is severely reduced by the arcane commands. I'm sure a thorough restructuring of the CLI would make it much more accessible.

Looks like , by the time I master the current command set , it'll be out of date. LOL.

[anthony]

The iMv7 change is more allowing 'options' to be passed as a file 'stream' of commands to a 'convert' like command.

This allows you to run the IM command as a background 'co-process' which holds and processes images according to the commands by the shell or PHP wrapper script.

I am not trying to re-design the interface from the ground up. That was attempted by a 'MSL' language, as well as various other API interfaces, such as PerlMagick, PHP imagick, and Magick Wand for C and PHP.

[imaggie]

thanks for the clarification.

Do you have any comment on the subject of this thread, that premature abortion of command line parsing can cause basically arbitrary residual text to be executed by the shell?

[anthony]

The problem "command line parsing can cause basically arbitrary residual text" is actually noting to do with Imagemagick at all. It is the shell, PHP, perl, ruby, etc etc etc, that is doing this, can can do it for ANY command.

In your example it is more commonly causes by a invisible space after the end-of-line '\'
for example

Code: Select all

   echo hello cruel \ 
           world
   -bash: world: command not found

Where without the extra space it works just fine.

Code: Select all

   echo hello cruel \
           world
hello cruel world

nothing to do with the command itself, just shell syntax.

Whatever your wrapping language, you need to obey its syntax.

For example...

Code: Select all

    convert  rose: -virtual-pixel background -background Green \
           -distort Perspective '  0,0   20,5
                                           0,46   5,30
                                           70,0   65,10
                                           70,46   55,44'  show:

Which looks strange without the end-of-line '\' but is perfectly valid shell...The trick is to use quoting to prevent the shell seeing the newline, which IM in many cases will ignore as 'whitespace' in its arguments.

For variations is line-by-line syntax handling in PHP see...
http://www.rubblewebs.co.uk/imagemagick ... xplain.php

This is even worse than just plain shell as the line is interpreted by PHP, then shell, and finally individual arguments by ImageMagick! At least in Perl you can launch commands with you doing the 'argument sub-division' yourself, and avoiding the shell all together, PHP does not provide that facility!

To allow IMv7 to do stream handling I also have to build some argument sub-division handling in IM...

[imaggie]

Code: Select all

$ convert -size $((5*$wid))x$((5*$ht)) xc: -tile (-extract  50%x25%+25%+5% tile.png)\
bash: syntax error near unexpected token `('
$ /tmpd/img $ -draw "rectangle 0,0 $((5*$wid)),$((5*$ht))" \
> output-tile.png

There was no spaces on what I posted but you are in essence correct . The shell barfed because I forgot to escape the brackets , it never even called convert.

My bad.

Thanks for all the detail.