Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forcing input format for security? #485

Open
mcary opened this issue Aug 23, 2019 · 1 comment
Open

Forcing input format for security? #485

mcary opened this issue Aug 23, 2019 · 1 comment

Comments

@mcary
Copy link

mcary commented Aug 23, 2019

I'd like to ensure that an attacker cannot execute arbitrary code on my server by (for example) uploading a carefully crafted Postscript with a JPEG file extension. Is there a way to take advantage of the ImageMagick feature that forces an input file format by specifying a module prefix on the filename, such as "jpg:some-file.jpg"? This is suggested as a security precaution for both ImageMagick (see "Other Security Considerations") and GraphicsMagick (see "Safe Use Of The Software", item 6).
@janko
Copy link
Member

janko commented Sep 9, 2019

With MiniMagick::Image not at the moment, only if you directly use MiniMagick::Tool::Convert and friends. It looks like a useful feature to add.

@jlgoedert jlgoedert mentioned this issue Oct 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcary @janko