The Perl Toolchain Summit needs more sponsors. If your company depends on Perl, please support this very important event.
 / 
Image-Magick-Safer-0.07
River stage zero No dependents
++
/ Image::Magick::Safer

NAME

Image::Magick::Safer - Wrap Image::Magick Read method to check magic bytes

Build Status Coverage Status

VERSION

0.07

SYNOPSIS

        use Image::Magick::Safer;

        # functions just like Image::Magick but wraps the Read method
        # to check the magic bytes of any images using File::LibMagic
        my $magick = Image::Magick::Safer->new;

        # if any @files have a MIME type that looks questionable then
        # $e will be populated
        if ( my $e = $magick->Read( @files ) ) {
                # bail out, unsafe to continue
                ....
        }

DESCRIPTION

Image::Magick::Safer is a drop in wrapper around Image::Magick, it adds a magic byte check to the Read method to check the file MIME type using File::LibMagic. If a file looks questionable then it will prevent the file being passed to the real Image::Magick::Read method and return an error. If a file cannot be opened, because it does not exist or it is prefixed with a pipe, an error will also be returned.

You can replace any calls to Image::Magick with Image::Magick::Safer and the functionality will be retained with the added Read protection. The aliases for Read will also be made safe.

If you need to override the default MIME types then you can set the modules $Image::Magick::Safer::Unsafe hash to something else or add extra types:

        # add SVG check to the defaults
        $Image::Magick::Safer::Unsafe->{'image/svg+xml'} = 1;

The default MIME types considered unsafe are as follows:

        text/plain
        application/x-compress
        application/x-compressed
        application/gzip
        application/bzip2
        application/x-bzip2
        application/x-gzip
        application/x-rar
        application/x-z
        application/z

Leading pipes are also considered unsafe, as well as any reference to files that cannot be found.

Note that i make NO GUARANTEE that this will fix and/or protect you from exploits, it's just another safety check. You should update to the latest version of ImageMagick to protect yourself against potential exploits.

Also note that to install the File::LibMagic module you will need to have both the library (libmagic.so) and the header file (magic.h). See the perldoc for File::LibMagic for more information.

WHY ISN'T THIS A PATCH IN Image::Magick?

Image::Magick moves at a glacial pace, and involves a 14,000 line XS file. No thanks. This will probably get patched in the next version, so for the time being this module exists.

KNOWN BUGS

DOES NOT WORK with BSD 10.1 and 7.0.1 and i can't figure out why. If you can figure out why then please submit a pull request. This is possibly some libmagic weirdness going on.

SEE ALSO

Image::Magick - the library this module wraps

https://www.imagemagick.org - ImageMagick

https://imagetragick.com/ - ImageMagick exploits

http://permalink.gmane.org/gmane.comp.security.oss.general/19669 - GraphicsMagick and ImageMagick popen() shell vulnerability via filename

AUTHOR

Lee Johnson - leejo@cpan.org

LICENSE

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. If you would like to contribute documentation, features, bug fixes, or anything else then please raise an issue / pull request:

    https://github.com/Humanstate/image-magick-safer