--- /dev/null
+diff -r 33200fc645f6 magick/render.c\r
+--- a/magick/render.c Sat Nov 07 14:49:16 2015 -0600\r
++++ b/magick/render.c Sun May 08 18:21:47 2016 -0500\r
+@@ -4096,6 +4096,24 @@\r
+ &image->exception);\r
+ else\r
+ {\r
++ /*\r
++ Sanity check URL/path before passing it to ReadImage()\r
++\r
++ This is a temporary fix until suitable flags can be passed\r
++ to keep SetImageInfo() from doing potentially dangerous\r
++ magick things.\r
++ */\r
++#define VALID_PREFIX(str,url) (LocaleNCompare(str,url,sizeof(str)-1) == 0)\r
++ if (!VALID_PREFIX("http://", primitive_info->text) &&\r
++ !VALID_PREFIX("https://", primitive_info->text) &&\r
++ !VALID_PREFIX("ftp://", primitive_info->text) &&\r
++ !(IsAccessibleNoLogging(primitive_info->text))\r
++ )\r
++ {\r
++ ThrowException(&image->exception,FileOpenError,UnableToOpenFile,primitive_info->text);\r
++ status=MagickFail;\r
++ break;\r
++ }\r
+ (void) strlcpy(clone_info->filename,primitive_info->text,\r
+ MaxTextExtent);\r
+ composite_image=ReadImage(clone_info,&image->exception);\r