[PostGIS] #5748: Convert uses declared insecure operations that causes to builds to fails

PostGIS trac at osgeo.org
Wed Jun 19 08:28:05 PDT 2024


#5748: Convert uses declared insecure operations that causes to builds to fails
---------------------+---------------------------
 Reporter:  latot    |      Owner:  pramsey
     Type:  defect   |     Status:  new
 Priority:  medium   |  Milestone:  PostGIS 3.4.3
Component:  postgis  |    Version:  3.4.x
 Keywords:           |
---------------------+---------------------------
 Hi!

 Actually, and from time (maybe some years), convert utility has
 implemented security restrictions to a lot of things, they have their
 reasons to block some specific operations (for example of them to PDFs),
 while as a users we can modify the security policy to run the commands,
 something that I think could not be right, is do something insecure on a
 build/installation which could compromise a system.

 "But we are just drawing": Oks, is true, but think that not all ppl will
 just draw things, there will be ppl who will take advantage of that, due
 to that the rule must works on all contexts, is hard to filter app, per
 app code to know what and how are they doing to know its safe.

 Maybe would be an option, check which are the security policy and replace
 with a safe option, or use other tool.

 ```
 convert: attempt to perform an operation not allowed by the security
 policy `@generator-YyC9Zu/draw0' @ error/string.c/FileToString/989.
 Failure return code (1) from command: convert -size 200x200 xc:none -fill
 none -stroke "#6495ED" -strokewidth 4 -draw '@generator-YyC9Zu/draw0'
 -flip generator-YyC9Zu/tmp0.pngreading styles from wkt/styles.conf
 generating de9im01.png
 ```

 Thx!
-- 
Ticket URL: <https://trac.osgeo.org/postgis/ticket/5748>
PostGIS <http://trac.osgeo.org/postgis/>
The PostGIS Trac is used for bug, enhancement & task tracking, a user and developer wiki, and a view into the subversion code repository of PostGIS project.


More information about the postgis-tickets mailing list