Page 1 of 1
stdin for label: and caption: is not recognized
Posted: 2015-10-14T07:20:27-07:00
by jens.a.e
hi,
i am using a convert pipe to render text into a png. we have been using
successfully up to version 6.9.1-10. after upgrading to 6.9.2-4 the image suddenly only had '@-' rendered to it - the same goes for just 'label:-' resulting in a '-' rendered.
it does not happen when using the -text option. but the latter is not an option for us, sadly.
unfortunatetly i could not find any related post on the forum. i regard this a bug as it breaks with the same code from one version to another.
i tested this on OS X (homebrew install with 6.9.2-4 as well as --HEAD) as well as on windows (from the binary distributions); same effect. even with the nextgen version 7.0.0.
am i missing something? has the syntax changed to read from standard input? any pointer welcome.
thx in advance!
Re: stdin for label: and caption: is not recognized
Posted: 2015-10-14T09:31:57-07:00
by fmw42
I can confirm this on IM 6.9.2.4 Q16 Mac OSX with the following command:
Code: Select all
echo "This is a Test" | convert -size 100x100 label:"@-" show:
Re: stdin for label: and caption: is not recognized
Posted: 2015-10-14T15:18:01-07:00
by magick
We can reproduce the problem you posted and have a patch in ImageMagick 6.9.2-5 Beta, available by sometime tomorrow. Thanks.
Re: stdin for label: and caption: is not recognized
Posted: 2015-10-16T02:19:18-07:00
by jens.a.e
Saw the commit. Brilliant. Thx!
Re: stdin for label: and caption: is not recognized
Posted: 2016-07-05T20:08:23-07:00
by androclus
just FYI, for those arriving here via Google or the local search:
as of today (2016-07-05), I am still getting this errant behavior (title image only looks like "@-") on the latest imagemagick package update available from standard repositories with Ubuntu 16.04 (which is "8:6.8.9.9-7ubuntu5.1").
to get the error out, and after struggling for hours with incorrect docs online, and dependency / delegate issues for PNG, I finally was able to re-compile my own .deb file of ImageMagick-7.0.2-2, using "andrew.46"s answer at
http://askubuntu.com/questions/745660/i ... l-problems
but even that was not quite right:
- i still had to run "./configure" before "make"
- i had to run "sudo ldconfig -v" afterwards to get newly-installed libraries recognized
once my 7.0.2-2 version of ImageMagick was installed, the label:@- works perfectly again.
also, i noticed today that a new imagemagick package came down from Canonical, which replaced my 7.0-based imagemagick .deb with an older buggy version (the one listed above) again. grrrr... so apt will not let me simply reinstall the .deb i built, replying with, "A later version is already installed", even though that "later" version is based on 6.8.9.9-7, and i am trying to install a .deb i made based on 7.0.2-2. *Sigh*. so -- being a neophyte regarding apt -- i was able to get things back to 7.* by re-running checkinstall (as per the help page above) and to rebuild and re-install my custom .deb package. i guess i'll have to do this whenever a new .deb comes down from Canonical -- until this bugfix propogates through to the repos.
Re: stdin for label: and caption: is not recognized
Posted: 2016-07-05T20:55:49-07:00
by fmw42
Re: stdin for label: and caption: is not recognized
Posted: 2016-07-06T05:45:00-07:00
by jens.a.e
So, in short, this means, that it is not possible anymore to run a command like
without a policy.xml?
Re: stdin for label: and caption: is not recognized
Posted: 2016-07-06T06:27:09-07:00
by magick
Security is a compromise between being secure and usability. If you are not concerned about indirect reads (e.g. convert label:@/etc/passwd ...), remove this policy from your policy.xml configuration file:
- <policy domain="path" rights="none" pattern="@*" />
Your command should work as expected now.
Re: stdin for label: and caption: is not recognized
Posted: 2016-07-06T07:29:26-07:00
by jens.a.e
Thanks. I totally welcome the security improvement!
Re: stdin for label: and caption: is not recognized
Posted: 2016-10-21T10:44:45-07:00
by heyimalex
The reason I was using '@-' was to avoid needing to escape the strings I want displayed. For example, I want '%b' to literally display '%b' instead of the filesize. I understand that allowing
any file is a security issue, but does reading from stdin pose the same risk?
Anyways, like posters above I haven't been able to get '@-' to work even after updating policy.xml. Manually escaping strings turned out to not be too difficult: replacing '%' with '%%' does the trick, and since '@' doesn't work it doesn't need escaping, though it's kind of scary that if there's ever a change and '@' starts working again I'm vulnerable to the same issue that started all of this! Let me know if anyone finds a more bulletproof way to do things.
EDIT: Actually, I just tried running it and the command straight up hangs if you pass an '@' with the restricted policy.xml... Ugh. It looks like the release in ubuntu 16.04 is compiled without '--enable-pipes' so there's no way to get around this without recompiling. Looks like I'm gonna have to write some c today...
EDIT2: Ok, getting caption to work with magickwand looked hard so I took a second shot at escaping. Apparently backslashes work to escape, so this pseudocode should do the trick
Code: Select all
unescaped = '@ %b \%%b '
escaped = unescaped.replace('\', '\\').replace('%', '\%')
if (escaped[0] == '@') {
escaped = '\' + escaped
}