X-Git-Url: https://git.pld-linux.org/gitweb.cgi?a=blobdiff_plain;f=image-sanity-check.patch;fp=image-sanity-check.patch;h=6b99c25ce04f802e933a3cd67ce668a84f5d8d25;hb=366755ee745e7503a023d4c37a916c6058d70be4;hp=0000000000000000000000000000000000000000;hpb=9d4bd31733adb97d843c097756fb079014646f8f;p=packages%2FGraphicsMagick.git

diff --git a/image-sanity-check.patch b/image-sanity-check.patch
new file mode 100644
index 0000000..6b99c25
--- /dev/null
+++ b/image-sanity-check.patch
@@ -0,0 +1,28 @@
+diff -r 33200fc645f6 magick/render.c
+--- a/magick/render.c	Sat Nov 07 14:49:16 2015 -0600
++++ b/magick/render.c	Sun May 08 18:21:47 2016 -0500
+@@ -4096,6 +4096,24 @@
+           &image->exception);
+       else
+         {
++          /*
++            Sanity check URL/path before passing it to ReadImage()
++
++            This is a temporary fix until suitable flags can be passed
++            to keep SetImageInfo() from doing potentially dangerous
++            magick things.
++          */
++#define VALID_PREFIX(str,url) (LocaleNCompare(str,url,sizeof(str)-1) == 0)
++          if (!VALID_PREFIX("http://", primitive_info->text) &&
++              !VALID_PREFIX("https://", primitive_info->text) &&
++              !VALID_PREFIX("ftp://", primitive_info->text)  &&
++              !(IsAccessibleNoLogging(primitive_info->text))
++              )
++            {
++              ThrowException(&image->exception,FileOpenError,UnableToOpenFile,primitive_info->text);
++              status=MagickFail;
++              break;
++            }
+           (void) strlcpy(clone_info->filename,primitive_info->text,
+             MaxTextExtent);
+           composite_image=ReadImage(clone_info,&image->exception);