Ian Turner on wrote...
| Hello list,
|
| Is there a safe way to execute a user-provided convert commandline without
| compromising system security? With the naive approach, a malicious user could
| submit a command that identifies the existence of a file (with e.g. -mask or
| image stacks) or overwrite a file (with e.g. -write).
|
You would control the request, and ceck all input from the user.
That is numbers are numbers, and identifiers do not not refer directly
to a file, but an identifer to a database of images that user is dealing
with.
There should be no need for a web user to specifically specify a
filename directly. that is askign for trouble.
Also do not allow special characters like / ; quotes etc etc etc.
Best to restrect them to a alphanumberic session identifier, rather than
actual filenames.
This is all standard Web Programming security practices, and nothing to
do with IM itself.
Anthony Thyssen ( System Programmer ) <[EMAIL PROTECTED]>
-----------------------------------------------------------------------------
Zatheris is, used to being beast of burden to other peoples needs.
Very sad life. Probably a very sad death. At least there is symmetry!
-- Zatheris, Bablyon 5, ``War Without End''
-----------------------------------------------------------------------------
Anthony's Home is his Castle http://www.cit.gu.edu.au/~anthony/
_______________________________________________
Magick-users mailing list
[email protected]
http://studio.imagemagick.org/mailman/listinfo/magick-users
