Reply to post: Re: Developer forum is murdering ImageMagick

Server-jacking exploits for ImageMagick are so trivial, you'll scream


Re: Developer forum is murdering ImageMagick

Some people DID migrate!

In any case, at heart IM is mostly just a pile of script tools for image manipulation. I don't think it was ever meant to be terribly secure, it's supposed to be on the "quick'n dirty" side of the spectrum. GraphicsMagick is not _terrificly_ better either. In fact, batch image manipulation tools and libraries are notoriously hard to make both useful an secure because of the tendency (by all "image format ventors") to include more and more "bells and whistles", notably in the meta-informations. I tend to trust PIL somewhat, mostly because I know how to prevent Python from doing stupid things, but even then I always keep a close eye on what can happen with it.

In my IM days I used to have a few sanitization scripts which I think kept my systems relatively safe, mostly by pre-emptively removing all but pixel informations, but not all image formats work well with that approach, obviously.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon


Biting the hand that feeds IT © 1998–2021