[packages/GraphicsMagick.git] / image-sanity-check.patch

diff -r 33200fc645f6 magick/render.c\r
--- a/magick/render.c	Sat Nov 07 14:49:16 2015 -0600\r
+++ b/magick/render.c	Sun May 08 18:21:47 2016 -0500\r
@@ -4096,6 +4096,24 @@\r
           &image->exception);\r
       else\r
         {\r
+          /*\r
+            Sanity check URL/path before passing it to ReadImage()\r
+\r
+            This is a temporary fix until suitable flags can be passed\r
+            to keep SetImageInfo() from doing potentially dangerous\r
+            magick things.\r
+          */\r
+#define VALID_PREFIX(str,url) (LocaleNCompare(str,url,sizeof(str)-1) == 0)\r
+          if (!VALID_PREFIX("http://", primitive_info->text) &&\r
+              !VALID_PREFIX("https://", primitive_info->text) &&\r
+              !VALID_PREFIX("ftp://", primitive_info->text)  &&\r
+              !(IsAccessibleNoLogging(primitive_info->text))\r
+              )\r
+            {\r
+              ThrowException(&image->exception,FileOpenError,UnableToOpenFile,primitive_info->text);\r
+              status=MagickFail;\r
+              break;\r
+            }\r
           (void) strlcpy(clone_info->filename,primitive_info->text,\r
             MaxTextExtent);\r
           composite_image=ReadImage(clone_info,&image->exception);\r
Commit	Line	Data
366755ee ER	1	diff -r 33200fc645f6 magick/render.c\r
	2	--- a/magick/render.c Sat Nov 07 14:49:16 2015 -0600\r
	3	+++ b/magick/render.c Sun May 08 18:21:47 2016 -0500\r
	4	@@ -4096,6 +4096,24 @@\r
	5	&image->exception);\r
	6	else\r
	7	{\r
	8	+ /*\r
	9	+ Sanity check URL/path before passing it to ReadImage()\r
	10	+\r
	11	+ This is a temporary fix until suitable flags can be passed\r
	12	+ to keep SetImageInfo() from doing potentially dangerous\r
	13	+ magick things.\r
	14	+ */\r
	15	+#define VALID_PREFIX(str,url) (LocaleNCompare(str,url,sizeof(str)-1) == 0)\r
	16	+ if (!VALID_PREFIX("http://", primitive_info->text) &&\r
	17	+ !VALID_PREFIX("https://", primitive_info->text) &&\r
	18	+ !VALID_PREFIX("ftp://", primitive_info->text) &&\r
	19	+ !(IsAccessibleNoLogging(primitive_info->text))\r
	20	+ )\r
	21	+ {\r
	22	+ ThrowException(&image->exception,FileOpenError,UnableToOpenFile,primitive_info->text);\r
	23	+ status=MagickFail;\r
	24	+ break;\r
	25	+ }\r
	26	(void) strlcpy(clone_info->filename,primitive_info->text,\r
	27	MaxTextExtent);\r
	28	composite_image=ReadImage(clone_info,&image->exception);\r