]>
Commit | Line | Data |
---|---|---|
366755ee ER |
1 | diff -r 33200fc645f6 magick/render.c\r |
2 | --- a/magick/render.c Sat Nov 07 14:49:16 2015 -0600\r | |
3 | +++ b/magick/render.c Sun May 08 18:21:47 2016 -0500\r | |
4 | @@ -4096,6 +4096,24 @@\r | |
5 | &image->exception);\r | |
6 | else\r | |
7 | {\r | |
8 | + /*\r | |
9 | + Sanity check URL/path before passing it to ReadImage()\r | |
10 | +\r | |
11 | + This is a temporary fix until suitable flags can be passed\r | |
12 | + to keep SetImageInfo() from doing potentially dangerous\r | |
13 | + magick things.\r | |
14 | + */\r | |
15 | +#define VALID_PREFIX(str,url) (LocaleNCompare(str,url,sizeof(str)-1) == 0)\r | |
16 | + if (!VALID_PREFIX("http://", primitive_info->text) &&\r | |
17 | + !VALID_PREFIX("https://", primitive_info->text) &&\r | |
18 | + !VALID_PREFIX("ftp://", primitive_info->text) &&\r | |
19 | + !(IsAccessibleNoLogging(primitive_info->text))\r | |
20 | + )\r | |
21 | + {\r | |
22 | + ThrowException(&image->exception,FileOpenError,UnableToOpenFile,primitive_info->text);\r | |
23 | + status=MagickFail;\r | |
24 | + break;\r | |
25 | + }\r | |
26 | (void) strlcpy(clone_info->filename,primitive_info->text,\r | |
27 | MaxTextExtent);\r | |
28 | composite_image=ReadImage(clone_info,&image->exception);\r |