Reply to post: Re: That's the unix way of doing things..

Server-jacking exploits for ImageMagick are so trivial, you'll scream

h4rm0ny

Re: That's the unix way of doing things..

>>"The moral of the story is not that there's anything wrong with interpreters (like your diatribe against shells) but the context that they're allowed to be used from. ImageMagick evolved from being a command-line tool and now it's being used in an unsafe context. That is all"

I disagree. Your argument is to the effect of "it doesn't matter if there are sufficient protections in place", but that's a statement that's always true and always misses the point. The point the OP made was that command-line text to join up different programs is inherently more vulnerable as an approach than calling the APIs of other objects because it is inherently more open to malicious input. If in this case, ImageMagick was written to call the "imageconvert()" method of an object, even if you could provide a variety of such objects that implemented it in different ways, that would be inherently safer than having it exec to the command line "jpegtool --convert myImage.jpg" where the command line is, by necessity, assembled from different parts and thus needs the kind of "jail" that you talk about in your anecdote.

OP is correct.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021