Opened 6 months ago

Closed 5 months ago

#5748 closed defect (wontfix)

Convert uses declared insecure operations that causes to builds to fails

Reported by: latot Owned by: pramsey
Priority: medium Milestone: PostGIS 3.4.3
Component: postgis Version: 3.4.x
Keywords: Cc:

Description

Hi!

Actually, and from time (maybe some years), convert utility has implemented security restrictions to a lot of things, they have their reasons to block some specific operations (for example of them to PDFs), while as a users we can modify the security policy to run the commands, something that I think could not be right, is do something insecure on a build/installation which could compromise a system.

"But we are just drawing": Oks, is true, but think that not all ppl will just draw things, there will be ppl who will take advantage of that, due to that the rule must works on all contexts, is hard to filter app, per app code to know what and how are they doing to know its safe.

Maybe would be an option, check which are the security policy and replace with a safe option, or use other tool.

` convert: attempt to perform an operation not allowed by the security policy `@generator-YyC9Zu/draw0' @ error/string.c/FileToString/989. Failure return code (1) from command: convert -size 200x200 xc:none -fill none -stroke "#6495ED" -strokewidth 4 -draw '@generator-YyC9Zu/draw0' -flip generator-YyC9Zu/tmp0.pngreading styles from wkt/styles.conf generating de9im01.png `

Thx!

Change History (1)

comment:1 by pramsey, 5 months ago

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.