Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://www.imagemagick.org/discourse-server/

Policy file updates and broken scripts..

https://www.imagemagick.org/discourse-server/viewtopic.php?t=29727

Page 1 of 1

Policy file updates and broken scripts..

Posted: 2016-05-19T09:45:17-07:00
by dognose
Hi,
I'm trying to come to terms with the new policy file updates,
and how to fix my scripts that have been broken by it.
specifically <policy domain="path" rights="none" pattern="@*" />
I'm thinking the LABEL and TEXT are also a concern.

An example of how I use it would be -annotate @text.txt

So, yes, I'm using IM on a server with user inputs, and security is important for me.
However, instead of a blanket ban on these features, I'd like to properly sanitize the
inputs that would cause security problems. Is this possible?

Or, come up with alternative functions that could replace what is broken.

Can anyone point me to the troubles

Re: Policy file updates and broken scripts..

Posted: 2016-05-19T11:32:09-07:00
by fmw42
One possible way:

Instead of:

Code: Select all

convert -size 200x200 xc:white -font arial -pointsize 18 -gravity center -annotate +0+0 '@test.txt' tmp1.png
do:

Code: Select all

str=`cat test.txt`
[ Then parse the str variable for things like magick describes below, if you want to sanitize it ]
convert -size 200x200 xc:white -font arial -pointsize 18 -gravity center -annotate +0+0 "$str" tmp2.png

Re: Policy file updates and broken scripts..

Posted: 2016-05-19T11:52:30-07:00
by dognose
I was having trouble with special characters in the command line.
My bigger question is how is including a text file for annotation a security problem?
Can commands be embedded in that?

Re: Policy file updates and broken scripts..

Posted: 2016-05-19T17:21:08-07:00
by magick
Think label:@/etc/passwd. Eliminate the indirect read and it helps avoid this vulnerability.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited