Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://imagemagick.com/discourse-server/

ImageTragick - how to mitigate ImageMagick as a library?

https://imagemagick.com/discourse-server/viewtopic.php?t=29768

Page 1 of 1

ImageTragick - how to mitigate ImageMagick as a library?

Posted: 2016-05-25T09:00:00-07:00
by haluptzok
How can I get policy.xml to load when using ImageMagick directly as a library?

Is there a code sample of bullet proof usage of ImageMagick library?

I'm doing this - is it safe? Can I do better? I want to handle all images that aren't RCE vulnerable? Like get policy.xml to load?

Code: Select all

if ((imageData.size() < 8) || // enough characters to see signature?
  (strncmp(imageData.c_str(), "GIF87a", 6) && // GIF ?
   strncmp(imageData.c_str(), "GIF89a", 6) && // GIF ?
   strncmp(imageData.c_str(),
   "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A", 8) && // PNG ?
   strncmp(imageData.c_str(), "\xFF\xD8", 2)))  // JPG ?
{
  LOG(INFO) << "imageMagickDecode failed - unsafe image type";
  return false;
}

int fileSize = imageData.size();
Blob blob((const char *)imageData.c_str(), fileSize);
Image image;
image.read(blob);
Pixels pixels(image);
Do stuff.

Re: ImageTragick - how to mitigate ImageMagick as a library?

Posted: 2016-05-25T14:34:17-07:00
by snibgo
haluptzok wrote:How can I get policy.xml to load when using ImageMagick directly as a library?
It happens by magick. Well, I suppose it happens during MagickCoreGenesis() or similar.

You should try it for yourself. Edit policy.xml to prohibit some action, like reading *.tiff, then see if your programs can perform that action.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited