Commit 3eb11260c for imagemagick.org
commit 3eb11260cfe84fddbdcb8d2ed47f92703d1b2987
Author: Cristy <urban-warrior@imagemagick.org>
Date: Fri Feb 20 19:54:17 2026 -0500
partial TOCTOU patch: https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-493f-jh8w-qhx3
diff --git a/MagickCore/blob.c b/MagickCore/blob.c
index 48fd4e66f..d617aa439 100644
--- a/MagickCore/blob.c
+++ b/MagickCore/blob.c
@@ -1464,19 +1464,36 @@ MagickExport void *FileToBlob(const char *filename,const size_t extent,
file=fileno(stdin);
if (LocaleCompare(filename,"-") != 0)
{
+ int
+ flags = O_RDONLY | O_BINARY;
+
status=GetPathAttributes(filename,&attributes);
if ((status == MagickFalse) || (S_ISDIR(attributes.st_mode) != 0))
{
ThrowFileException(exception,BlobError,"UnableToReadBlob",filename);
return(NULL);
}
- file=open_utf8(filename,O_RDONLY | O_BINARY,0);
+#if defined(O_NOFOLLOW)
+ status=IsRightsAuthorized(SystemPolicyDomain,ReadPolicyRights,"follow");
+ if (status == MagickFalse)
+ flags|=O_NOFOLLOW;
+#endif
+ file=open_utf8(filename,flags,0);
}
if (file == -1)
{
ThrowFileException(exception,BlobError,"UnableToOpenFile",filename);
return(NULL);
}
+ status=IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,filename);
+ if (status == MagickFalse)
+ {
+ file=close_utf8(file)-1;
+ errno=EPERM;
+ (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+ "NotAuthorized","`%s'",filename);
+ return(NULL);
+ }
offset=(MagickOffsetType) lseek(file,0,SEEK_END);
count=0;
if ((file == fileno(stdin)) || (offset < 0) ||
@@ -1670,7 +1687,7 @@ MagickExport MagickBooleanType FileToImage(Image *image,const char *filename,
assert(filename != (const char *) NULL);
if (IsEventLogging() != MagickFalse)
(void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s",filename);
- status=IsRightsAuthorized(PathPolicyDomain,WritePolicyRights,filename);
+ status=IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,filename);
if (status == MagickFalse)
{
errno=EPERM;
@@ -1680,12 +1697,31 @@ MagickExport MagickBooleanType FileToImage(Image *image,const char *filename,
}
file=fileno(stdin);
if (LocaleCompare(filename,"-") != 0)
- file=open_utf8(filename,O_RDONLY | O_BINARY,0);
+ {
+ int
+ flags = O_RDONLY | O_BINARY;
+
+#if defined(O_NOFOLLOW)
+ status=IsRightsAuthorized(SystemPolicyDomain,ReadPolicyRights,"follow");
+ if (status == MagickFalse)
+ flags|=O_NOFOLLOW;
+#endif
+ file=open_utf8(filename,flags,0);
+ }
if (file == -1)
{
ThrowFileException(exception,BlobError,"UnableToOpenBlob",filename);
return(MagickFalse);
}
+ status=IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,filename);
+ if (status == MagickFalse)
+ {
+ file=close_utf8(file);
+ errno=EPERM;
+ (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+ "NotAuthorized","`%s'",filename);
+ return(MagickFalse);
+ }
quantum=(size_t) MagickMaxBufferExtent;
if ((fstat(file,&file_stats) == 0) && (file_stats.st_size > 0))
quantum=(size_t) MagickMin(file_stats.st_size,MagickMaxBufferExtent);
@@ -3587,6 +3623,13 @@ MagickExport MagickBooleanType OpenBlob(const ImageInfo *image_info,
(void) SetStreamBuffering(image_info,blob_info);
}
}
+ if (IsRightsAuthorized(PathPolicyDomain,rights,filename) == MagickFalse)
+ {
+ errno=EPERM;
+ (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+ "NotAuthorized","`%s'",filename);
+ return(MagickFalse);
+ }
blob_info->status=0;
blob_info->error_number=0;
if (blob_info->type != UndefinedStream)
diff --git a/config/policy-secure.xml b/config/policy-secure.xml
index 768487c58..15fb85b3f 100644
--- a/config/policy-secure.xml
+++ b/config/policy-secure.xml
@@ -108,4 +108,6 @@
<!-- Set the maximum amount of memory in bytes that are permitted for
allocation requests. -->
<policy domain="system" name="max-memory-request" value="256MiB"/>
+ <!-- If the basename of path is a symbolic link, the open fails -->
+ <policy domain="system" name="symlink" rights="none" pattern="follow"/>
</policymap>