Hello list, Is there a safe way to execute a user-provided convert commandline without compromising system security? With the naive approach, a malicious user could submit a command that identifies the existence of a file (with e.g. -mask or image stacks) or overwrite a file (with e.g. -write).
One option that comes to me is to ban the use of parenthesis and of all the options that take a filename. This is problematic, because new options are introduced to the convert command all the time. There is no guarantee that a future command won't run with today's code, so upgrading ImageMagick could introduce a risk. One safer approach is to make a list of all the valid commands, and to only allow those. This has an according disadvantage, that any new features added to ImageMagick would be inaccessible. Is there a happy middleground? Is there a way to execute convert without creating a whitelist or blacklist of commands? Any feedback on this would be much appreciated. For background, I'm making a module for Gallery <http://gallery.menalto.com/> to allow modifying an image by an arbitrary convert command. This is powerful; one could sepia-tone an image, fix camera shake (-rotate), and lots more. I'd like to take advantage of the power of ImageMagick without sacrificing security. Thanks in advance for your thoughts, --Ian _______________________________________________ Magick-users mailing list [email protected] http://studio.imagemagick.org/mailman/listinfo/magick-users
