packages/ImageMagick
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ImageMagick/CVE-2020-29599-5.patch
wangxiao65 519aa12fe2 fix CVE-2020-29599
2021-01-12 17:00:23 +08:00

61 lines
2.1 KiB
Diff
Raw Blame History

From 7b0cce080345e5b7ef26d122f18809c93a19a80e Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Mon, 16 Nov 2020 18:17:31 +0000
Subject: [PATCH] fix shell injection vulnerability via the -authenticate
option
---
coders/pdf.c | 15 ++++++---------
magick/string.c | 8 +++++++-
2 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/coders/pdf.c b/coders/pdf.c
index 63eda5d81..074ba3f64 100644
--- a/coders/pdf.c
+++ b/coders/pdf.c
@@ -585,17 +585,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception)
if (stop_on_error != MagickFalse)
(void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent);
option=GetImageOption(image_info,"authenticate");
- if (option != (char *) NULL)
+ if ((option != (char *) NULL) && (strpbrk(option,"&;<>|") == (char *) NULL))
{
char
- message[MagickPathExtent],
- *passphrase;
-
- passphrase=SanitizeString(option);
- (void) FormatLocaleString(message,MagickPathExtent,
- "\"-sPDFPassword=%s\" ",passphrase);
- passphrase=DestroyString(passphrase);
- (void) ConcatenateMagickString(options,message,MagickPathExtent);
+ passphrase[MagickPathExtent];
+
+ (void) FormatLocaleString(passphrase,MagickPathExtent,
+ "\"-sPDFPassword=%s\" ",option);
+ (void) ConcatenateMagickString(options,passphrase,MagickPathExtent);
}
read_info=CloneImageInfo(image_info);
*read_info->magick='\0';
diff --git a/magick/string.c b/magick/string.c
index c8ffa086f..7f6eebc3b 100644
--- a/magick/string.c
+++ b/magick/string.c
@@ -1604,9 +1604,15 @@ MagickExport char *SanitizeString(const char *source)
*p;
static char
+#if defined(MAGICKCORE_WINDOWS_SUPPORT)
whitelist[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 "
- "$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&=";
+ "$-_.+!;*(),{}|^~[]`\'><#%/?:@&=";
+#else
+ whitelist[] =
+ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 "
+ "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&=";
+#endif
sanitize_source=AcquireString(source);
p=sanitize_source;
Reference in New Issue View Git Blame Copy Permalink