[magick-users] Best way to safely execute convert?

Ian Turner vectro at vectro.org
Mon Jun 23 08:15:20 PDT 2008 

Anthony,

Thanks for your response. Maybe I wasn't entirely clear in my original e-mail.

The script will provide the input and output filenames; those are not 
controlled by the user. What I am concerned about is the possibility that the 
user would maliciously use additional arguments (such as -write) in the 
command line.

It's not possible to "check all input from the user", as you suggest, because 
the specific options supported by imagemagick, and their arguments, changes 
over time. I can't control what version of imagemagick is running, thus the 
question: How to know what is a "safe" command line and what is not? Or 
alternatively, how to make command line safe?

Shell characters are not an issue because no user input is ever passed to the 
shell, and imagemagick does not have the capacity to execute other programs.

Cheers,

--Ian

On Sunday 22 June 2008 23:27:58 Anthony Thyssen wrote:
> Ian Turner on  wrote...
>
> | Hello list,
> |
> | Is there a safe way to execute a user-provided convert commandline
> | without compromising system security? With the naive approach, a
> | malicious user could submit a command that identifies the existence of a
> | file (with e.g. -mask or image stacks) or overwrite a file (with e.g.
> | -write).
>
> You would control the request, and ceck all input from the user.
>
> That is numbers are numbers, and identifiers do not not refer directly
> to a file, but an identifer to a database of images that user is dealing
> with.
>
> There should be no need for a web user to specifically specify a
> filename directly.  that is askign for trouble.
>
> Also do not allow special characters like / ; quotes etc etc etc.
> Best to restrect them to a alphanumberic session identifier, rather than
> actual filenames.
>
> This is all standard Web Programming security practices, and nothing to
> do with IM itself.
>
>   Anthony Thyssen ( System Programmer )    <A.Thyssen at griffith.edu.au>
> 
> ---------------------------------------------------------------------------
>-- Zatheris is, used to being beast of burden to other peoples needs. Very
> sad life.  Probably a very sad death.   At least there is symmetry! --
> Zatheris,  Bablyon 5, ``War Without End''
> ---------------------------------------------------------------------------
>-- Anthony's Home is his Castle     http://www.cit.gu.edu.au/~anthony/
> _______________________________________________
> Magick-users mailing list
> Magick-users at imagemagick.org
> http://studio.imagemagick.org/mailman/listinfo/magick-users

More information about the Magick-users mailing list