[magick-users] Best way to safely execute convert?
Ian Turner
vectro at vectro.org
Sun Jun 22 16:25:52 PDT 2008
Hello list,
Is there a safe way to execute a user-provided convert commandline without
compromising system security? With the naive approach, a malicious user could
submit a command that identifies the existence of a file (with e.g. -mask or
image stacks) or overwrite a file (with e.g. -write).
One option that comes to me is to ban the use of parenthesis and of all the
options that take a filename. This is problematic, because new options are
introduced to the convert command all the time. There is no guarantee that a
future command won't run with today's code, so upgrading ImageMagick could
introduce a risk.
One safer approach is to make a list of all the valid commands, and to only
allow those. This has an according disadvantage, that any new features added
to ImageMagick would be inaccessible.
Is there a happy middleground? Is there a way to execute convert without
creating a whitelist or blacklist of commands? Any feedback on this would be
much appreciated.
For background, I'm making a module for Gallery <http://gallery.menalto.com/>
to allow modifying an image by an arbitrary convert command. This is
powerful; one could sepia-tone an image, fix camera shake (-rotate), and lots
more. I'd like to take advantage of the power of ImageMagick without
sacrificing security.
Thanks in advance for your thoughts,
--Ian
More information about the Magick-users
mailing list