From 630cb567239b90b48ec194215997969313988887 Mon Sep 17 00:00:00 2001 From: Cristy Date: Fri, 27 Jan 2017 18:52:14 -0500 Subject: [PATCH] Support policy rights of "All" --- MagickCore/constitute.c | 61 ++++++++++++++++++++--------------------- MagickCore/option.c | 3 +- MagickCore/policy.c | 17 +++++------- MagickCore/policy.h | 3 +- 4 files changed, 41 insertions(+), 43 deletions(-) diff --git a/MagickCore/constitute.c b/MagickCore/constitute.c index 7c943d28e..7c193b6b5 100644 --- a/MagickCore/constitute.c +++ b/MagickCore/constitute.c @@ -388,12 +388,6 @@ MagickExport Image *ReadImage(const ImageInfo *image_info, MagickStatusType flags; - PolicyDomain - domain; - - PolicyRights - rights; - /* Determine image type from filename prefix or suffix (e.g. image.jpg). */ @@ -409,16 +403,6 @@ MagickExport Image *ReadImage(const ImageInfo *image_info, (void) SetImageInfo(read_info,0,exception); (void) CopyMagickString(filename,read_info->filename,MagickPathExtent); (void) CopyMagickString(magick,read_info->magick,MagickPathExtent); - domain=CoderPolicyDomain; - rights=ReadPolicyRights; - if (IsRightsAuthorized(domain,rights,read_info->magick) == MagickFalse) - { - errno=EPERM; - (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, - "NotAuthorized","`%s'",read_info->filename); - read_info=DestroyImageInfo(read_info); - return((Image *) NULL); - } /* Call appropriate image reader based on image type. */ @@ -427,6 +411,22 @@ MagickExport Image *ReadImage(const ImageInfo *image_info, sans_exception=DestroyExceptionInfo(sans_exception); if (magick_info != (const MagickInfo *) NULL) { + PolicyDomain + domain; + + PolicyRights + rights; + + domain=CoderPolicyDomain; + rights=ReadPolicyRights; + if (IsRightsAuthorized(domain,rights,magick_info->module) == MagickFalse) + { + errno=EPERM; + (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, + "NotAuthorized","`%s'",read_info->filename); + read_info=DestroyImageInfo(read_info); + return((Image *) NULL); + } if (GetMagickEndianSupport(magick_info) == MagickFalse) read_info->endian=UndefinedEndian; else @@ -986,12 +986,6 @@ MagickExport MagickBooleanType WriteImage(const ImageInfo *image_info, status, temporary; - PolicyDomain - domain; - - PolicyRights - rights; - /* Determine image type from filename prefix or suffix (e.g. image.jpg). */ @@ -1013,15 +1007,6 @@ MagickExport MagickBooleanType WriteImage(const ImageInfo *image_info, (void) CopyMagickString(filename,image->filename,MagickPathExtent); (void) CopyMagickString(image->filename,write_info->filename, MagickPathExtent); - domain=CoderPolicyDomain; - rights=WritePolicyRights; - if (IsRightsAuthorized(domain,rights,write_info->magick) == MagickFalse) - { - sans_exception=DestroyExceptionInfo(sans_exception); - write_info=DestroyImageInfo(write_info); - errno=EPERM; - ThrowBinaryException(PolicyError,"NotAuthorized",filename); - } /* Call appropriate image writer based on image type. */ @@ -1029,6 +1014,20 @@ MagickExport MagickBooleanType WriteImage(const ImageInfo *image_info, sans_exception=DestroyExceptionInfo(sans_exception); if (magick_info != (const MagickInfo *) NULL) { + PolicyDomain + domain; + + PolicyRights + rights; + + domain=CoderPolicyDomain; + rights=WritePolicyRights; + if (IsRightsAuthorized(domain,rights,magick_info->module) == MagickFalse) + { + write_info=DestroyImageInfo(write_info); + errno=EPERM; + ThrowBinaryException(PolicyError,"NotAuthorized",filename); + } if (GetMagickEndianSupport(magick_info) == MagickFalse) image->endian=UndefinedEndian; else diff --git a/MagickCore/option.c b/MagickCore/option.c index eb7d4f169..276b88261 100644 --- a/MagickCore/option.c +++ b/MagickCore/option.c @@ -1559,10 +1559,11 @@ static const OptionInfo PolicyRightsOptions[] = { { "Undefined", UndefinedPolicyRights, UndefinedOptionFlag, MagickTrue }, + { "All", AllPolicyRights, UndefinedOptionFlag, MagickFalse }, + { "Execute", ExecutePolicyRights, UndefinedOptionFlag, MagickFalse }, { "None", NoPolicyRights, UndefinedOptionFlag, MagickFalse }, { "Read", ReadPolicyRights, UndefinedOptionFlag, MagickFalse }, { "Write", WritePolicyRights, UndefinedOptionFlag, MagickFalse }, - { "Execute", ExecutePolicyRights, UndefinedOptionFlag, MagickFalse }, { (char *) NULL, UndefinedPolicyRights, UndefinedOptionFlag, MagickFalse } }, PreviewOptions[] = diff --git a/MagickCore/policy.c b/MagickCore/policy.c index 433cf85ec..ee81b3208 100644 --- a/MagickCore/policy.c +++ b/MagickCore/policy.c @@ -593,20 +593,17 @@ MagickExport MagickBooleanType IsRightsAuthorized(const PolicyDomain domain, LockSemaphoreInfo(policy_semaphore); ResetLinkedListIterator(policy_cache); p=(PolicyInfo *) GetNextValueInLinkedList(policy_cache); - while ((p != (PolicyInfo *) NULL) && (authorized != MagickFalse)) + while (p != (PolicyInfo *) NULL) { if ((p->domain == domain) && (GlobExpression(pattern,p->pattern,MagickFalse) != MagickFalse)) { - if (((rights & ReadPolicyRights) != 0) && - ((p->rights & ReadPolicyRights) == 0)) - authorized=MagickFalse; - if (((rights & WritePolicyRights) != 0) && - ((p->rights & WritePolicyRights) == 0)) - authorized=MagickFalse; - if (((rights & ExecutePolicyRights) != 0) && - ((p->rights & ExecutePolicyRights) == 0)) - authorized=MagickFalse; + if ((rights & ReadPolicyRights) != 0) + authorized=(p->rights & ReadPolicyRights) != 0; + if ((rights & WritePolicyRights) != 0) + authorized=(p->rights & WritePolicyRights) != 0; + if ((rights & ExecutePolicyRights) != 0) + authorized=(p->rights & ExecutePolicyRights) != 0; } p=(PolicyInfo *) GetNextValueInLinkedList(policy_cache); } diff --git a/MagickCore/policy.h b/MagickCore/policy.h index d6e6bfce5..d4657f55d 100644 --- a/MagickCore/policy.h +++ b/MagickCore/policy.h @@ -43,7 +43,8 @@ typedef enum NoPolicyRights = 0x00, ReadPolicyRights = 0x01, WritePolicyRights = 0x02, - ExecutePolicyRights = 0x04 + ExecutePolicyRights = 0x04, + AllPolicyRights = 0xff } PolicyRights; typedef struct _PolicyInfo -- 2.40.0