From 58a2ce1638c7cca4db9c9a70ea841b34c8932490 Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Sat, 30 Apr 2016 14:54:43 -0400
Subject: [PATCH] Indirect filename must be authorized by policy

---
 MagickCore/property.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/MagickCore/property.c b/MagickCore/property.c
index 586359594..cddd2dc22 100644
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -68,6 +68,7 @@
 #include "MagickCore/monitor.h"
 #include "MagickCore/montage.h"
 #include "MagickCore/option.h"
+#include "MagickCore/policy.h"
 #include "MagickCore/profile.h"
 #include "MagickCore/property.h"
 #include "MagickCore/quantum.h"
@@ -3286,13 +3287,21 @@ MagickExport char *InterpretImageProperties(ImageInfo *image_info,
   if (embed_text == (const char *) NULL)
     return(ConstantString(""));
   p=embed_text;
-
+  while ((isspace((int) ((unsigned char) *p)) != 0) && (*p != '\0'))
+    p++;
   if (*p == '\0')
     return(ConstantString(""));
 
   if ((*p == '@') && (IsPathAccessible(p+1) != MagickFalse))
     {
       /* handle a '@' replace string from file */
+      if (IsRightsAuthorized(PathPolicyDomain,ReadPolicyRights,p) == MagickFalse)
+        {
+          errno=EPERM;
+          (void) ThrowMagickException(exception,GetMagickModule(),PolicyError,
+            "NotAuthorized","`%s'",p);
+          return(ConstantString(""));
+        }
       interpret_text=FileToString(p+1,~0UL,exception);
       if (interpret_text != (char *) NULL)
         return(interpret_text);
-- 
2.40.0