Hi,
I'm trying to come to terms with the new policy file updates,
and how to fix my scripts that have been broken by it.
specifically <policy domain="path" rights="none" pattern="@*" />
I'm thinking the LABEL and TEXT are also a concern.
An example of how I use it would be -annotate @text.txt
So, yes, I'm using IM on a server with user inputs, and security is important for me.
However, instead of a blanket ban on these features, I'd like to properly sanitize the
inputs that would cause security problems. Is this possible?
Or, come up with alternative functions that could replace what is broken.
Can anyone point me to the troubles
Policy file updates and broken scripts..
-
fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Policy file updates and broken scripts..
One possible way:
Instead of:
do:
Instead of:
Code: Select all
convert -size 200x200 xc:white -font arial -pointsize 18 -gravity center -annotate +0+0 '@test.txt' tmp1.pngCode: Select all
str=`cat test.txt`
[ Then parse the str variable for things like magick describes below, if you want to sanitize it ]
convert -size 200x200 xc:white -font arial -pointsize 18 -gravity center -annotate +0+0 "$str" tmp2.pngRe: Policy file updates and broken scripts..
I was having trouble with special characters in the command line.
My bigger question is how is including a text file for annotation a security problem?
Can commands be embedded in that?
My bigger question is how is including a text file for annotation a security problem?
Can commands be embedded in that?
Re: Policy file updates and broken scripts..
Think label:@/etc/passwd. Eliminate the indirect read and it helps avoid this vulnerability.