On 2/2/07, [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> through ImageMagick (actually for resizing) will malicious code be
> eliminated?
Most likely, if you have a recent version of ImageMagick and set limits to
prevent denial of service attacks. Recent versions of ImageMagick have
a number of possible exploits patched. These are all possible buffer
overruns that were identified. However, there are no known exploits
of ImageMagick due to a buffer overrun. In addition we eliminated the
possibility of shell injection with the delegate subsystem by creating
a symbolic link to any user specified filename where the symbolic link is
a well-formed filename without any potentially dangerous shell meta-characters.
Thanks, that sounds good! Actually I'm using Rimagemagick, so maybe
there are extra configurations for that. I'd have to look.
How about the resulting images - will they be safe for whoever comes
along and visits a page that contains an image produced by
ImageMagick? Meaning could an image be crafted so that ImageMagick
doesn't crash, but the image it produces is malicious? I am guessing
no, but I thought I'd ask.
Stephan
To prevent denial of server set your limits. We use a 64MB limit for
memory, 128MB for map, and 1GB for disk. This prevents any one user
from consuming all available memory and prevents any image from consuming
more that 1GB of disk (if it does the program exits).
--
Stephan Wehner
http://stephan.sugarmotor.org
http://stephansmap.org
http://www.trafficlife.com
http://www.buckmaster.ca
_______________________________________________
Magick-users mailing list
[email protected]
http://studio.imagemagick.org/mailman/listinfo/magick-users
