Ian Turner on wrote...
| Anthony,
|
| Thanks for your response. Maybe I wasn't entirely clear in my original e-mail.
|
| The script will provide the input and output filenames; those are not
| controlled by the user. What I am concerned about is the possibility that the
| user would maliciously use additional arguments (such as -write) in the
| command line.
|
| It's not possible to "check all input from the user", as you suggest, because
| the specific options supported by imagemagick, and their arguments, changes
| over time. I can't control what version of imagemagick is running, thus the
| question: How to know what is a "safe" command line and what is not? Or
| alternatively, how to make command line safe?
|
| Shell characters are not an issue because no user input is ever passed to the
| shell, and imagemagick does not have the capacity to execute other programs.
|
If the IM is not passed to the shell you must be doing the split of the
command into seperate arguments yourself.
For example, this is 'shell parsed'
"convert input.jpg -rotate -90 output.jpg"
But this is probably a direct call by-passing the shell
"convert", "input.jpg", "-rotate", "-90", "output.jpg"
Note the difference. Also often the "convert" is given a full path name
such as "/usr/bin/convert"
Now the only things you need to worry about is getting it to read files.
Some arguments do read files. specifically -font which could read
a fontname or a font file
Simularly many 'string' arguments like -annotate can read a string
from a file EG: "-annotate 0 '@filename'" the same goes for "-draw
'text...'", "label:", and "caption:" So watch out for '@'
characters.
Also if these @ strings read from a file (or stdin using "@-") the read
data WILL NOT BE PARSED. that is nothing will be treated as 'special'
so that is a much safer way to pass user strings into a command.
Basically your user input may be used for some specific argument, so you
just need to watch for special characters in that argument.
Second make doubly sure your command is NOT parsed by shell. Be
certain, don't assume. Without a shell, arguments will need to be split
up by your program. Also quotes are only then important for '-draw'.
If you need quotes you are being shell parsed.
Look for and read PHP security guides, especially anything on calling
external programs.
And finally parse ALL user input, and try to pass strings to IM in the
form of '@' files so that IM will not try to re-parse the input for
special escapes like '@' '%' etc.
Anthony Thyssen ( System Programmer ) <[EMAIL PROTECTED]>
-----------------------------------------------------------------------------
There can never be an `Absoulte Chaos',
since any absolute must be lawful,
I.E. It is lawful in its chaos.
-----------------------------------------------------------------------------
Anthony's Home is his Castle http://www.cit.gu.edu.au/~anthony/
_______________________________________________
Magick-users mailing list
[email protected]
http://studio.imagemagick.org/mailman/listinfo/magick-users
