Anthony, Even after addressing all the considerations you have pointed out, one could still pass the commandline "-write /var/lib/gallery2/g2data/.htaccess", which would jack up the system pretty good. I'm sure a more creative person could figure out some even more nasty things, even running as Apache.
It would be easy to just ban -write. But there are other attack vectors. On my system (ImageMagick 6.3.7 02/19/08), the following options are all potentially dangerous: -display, -define, -font, -format, -mask, -clip-mask, -evaluate, -profile, -tile, -map, and -write. Even banning these might not be enough, though, because new dangerous options might be introduced in a new version of ImageMagick, and I can't control which version is installed. ImageMagick version 10.2.4 (04/01/15) might contain a new option -frobnicate-the-whole-system --- who knows? >From other responses on this thread, it sounds like the sane answer to this issue is to make a list of useful and non-dangerous options, and then only allow those. This is somewhat the approach taken by MagickStudio, which doesn't let you specify a command line but rather translates pointy-clicky into one. Cheers, --Ian On Monday 23 June 2008 19:59:42 Anthony Thyssen wrote: > Ian Turner on wrote... > > | Anthony, > | > | Thanks for your response. Maybe I wasn't entirely clear in my original > | e-mail. > | > | The script will provide the input and output filenames; those are not > | controlled by the user. What I am concerned about is the possibility that > | the user would maliciously use additional arguments (such as -write) in > | the command line. > | > | It's not possible to "check all input from the user", as you suggest, > | because the specific options supported by imagemagick, and their > | arguments, changes over time. I can't control what version of imagemagick > | is running, thus the question: How to know what is a "safe" command line > | and what is not? Or alternatively, how to make command line safe? > | > | Shell characters are not an issue because no user input is ever passed to > | the shell, and imagemagick does not have the capacity to execute other > | programs. > > If the IM is not passed to the shell you must be doing the split of the > command into seperate arguments yourself. > > For example, this is 'shell parsed' > > "convert input.jpg -rotate -90 output.jpg" > > > But this is probably a direct call by-passing the shell > > "convert", "input.jpg", "-rotate", "-90", "output.jpg" > > Note the difference. Also often the "convert" is given a full path name > such as "/usr/bin/convert" > > Now the only things you need to worry about is getting it to read files. > Some arguments do read files. specifically -font which could read > a fontname or a font file > > Simularly many 'string' arguments like -annotate can read a string > from a file EG: "-annotate 0 '@filename'" the same goes for "-draw > 'text...'", "label:", and "caption:" So watch out for '@' > characters. > > Also if these @ strings read from a file (or stdin using "@-") the read > data WILL NOT BE PARSED. that is nothing will be treated as 'special' > so that is a much safer way to pass user strings into a command. > > Basically your user input may be used for some specific argument, so you > just need to watch for special characters in that argument. > > Second make doubly sure your command is NOT parsed by shell. Be > certain, don't assume. Without a shell, arguments will need to be split > up by your program. Also quotes are only then important for '-draw'. > If you need quotes you are being shell parsed. > > Look for and read PHP security guides, especially anything on calling > external programs. > > And finally parse ALL user input, and try to pass strings to IM in the > form of '@' files so that IM will not try to re-parse the input for > special escapes like '@' '%' etc. > > > Anthony Thyssen ( System Programmer ) <[EMAIL PROTECTED]> > > --------------------------------------------------------------------------- >-- There can never be an `Absoulte Chaos', > since any absolute must be lawful, > I.E. It is lawful in its chaos. > > --------------------------------------------------------------------------- >-- Anthony's Home is his Castle http://www.cit.gu.edu.au/~anthony/ _______________________________________________ Magick-users mailing list [email protected] http://studio.imagemagick.org/mailman/listinfo/magick-users
