[magick-users] ImageMagick Security / Open resulting image in
browser
Stephan Wehner
stephanwehner at gmail.com
Fri Feb 2 13:31:19 CST 2007
On 2/2/07, omicronpersei8 at imagemagick.org
<omicronpersei8 at imagemagick.org> wrote:
> > through ImageMagick (actually for resizing) will malicious code be
> > eliminated?
>
> Most likely, if you have a recent version of ImageMagick and set limits to
> prevent denial of service attacks. Recent versions of ImageMagick have
> a number of possible exploits patched. These are all possible buffer
> overruns that were identified. However, there are no known exploits
> of ImageMagick due to a buffer overrun. In addition we eliminated the
> possibility of shell injection with the delegate subsystem by creating
> a symbolic link to any user specified filename where the symbolic link is
> a well-formed filename without any potentially dangerous shell meta-characters.
Thanks, that sounds good! Actually I'm using Rimagemagick, so maybe
there are extra configurations for that. I'd have to look.
How about the resulting images - will they be safe for whoever comes
along and visits a page that contains an image produced by
ImageMagick? Meaning could an image be crafted so that ImageMagick
doesn't crash, but the image it produces is malicious? I am guessing
no, but I thought I'd ask.
Stephan
>
> To prevent denial of server set your limits. We use a 64MB limit for
> memory, 128MB for map, and 1GB for disk. This prevents any one user
> from consuming all available memory and prevents any image from consuming
> more that 1GB of disk (if it does the program exits).
>
--
Stephan Wehner
> http://stephan.sugarmotor.org
> http://stephansmap.org
> http://www.trafficlife.com
> http://www.buckmaster.ca
More information about the Magick-users
mailing list