问题描述

我目前在PHP上使用Imagick库，并使用Image Magick的调整大小功能.我刚刚了解了减压炸弹以及ImageMagick如何容易受到这种攻击.

I currently use Imagick library on PHP and use the resizing functionality of Image Magick. I've just learned about decompression bombs and how ImageMagick is vulnerable to it.

我已经检查了如何在不实际将其加载到内存/磁盘中的情况下对图像执行ping操作并验证图像的尺寸.限制ImageMagick的内存和磁盘限制也比较安全，这样就不会只是在磁盘上写一个大文件.

I have checked how we can ping the image and verify the dimensions of the image without actually loading it into memory/disk. It's also safer to limit the memory and disk limits of ImageMagick so it wouldn't just write a huge file on disk.

我已阅读并且可以使用setResourceLimit()做到这一点. http://php.net/manual/en/imagick.setresourcelimit.php

I've read and I can do that with setResourceLimit().http://php.net/manual/en/imagick.setresourcelimit.php

IMagick::setResourceLimit(IMagick::RESOURCETYPE_MEMORY , 100);
IMagick::setResourceLimit(IMagick::RESOURCETYPE_DISK , 100);

$thumb = new Imagick('image.png');
$thumb->resizeImage(320,240,Imagick::FILTER_LANCZOS,1);

但是，发生的事情是在设置磁盘和内存的限制之后，如果映像确实达到了此限制，我得到的只是一个分割错误错误，不会引发任何异常.这使我无法正确处理它.

However, what happens is that after setting the limit of disk and memory, if an image does hit this limit, all I get is a segmentation fault error, no exceptions are thrown. This makes it impossible for me to handle it properly.

更新:

以下是我正在使用的软件包版本:

Here are the package versions I'm using:

dpkg -l | grep magick
ii  imagemagick-common                    8:6.6.9.7-5ubuntu3.3              image manipulation programs -- infrastructure
ii  libmagickcore4                        8:6.6.9.7-5ubuntu3.3              low-level image manipulation library
ii  libmagickwand4                        8:6.6.9.7-5ubuntu3.3              image manipulation library
ii  php5-imagick                          3.1.0~rc1-1                       ImageMagick module for php5

推荐答案

设置资源区域"限制仅设置不保存在内存中的图像的大小，而是将其分页到磁盘.如果要使用该设置来实际限制可以打开的最大大小的映像，则还需要设置资源磁盘"限制.

Setting the 'Resource Area' limit only sets the size at which images are not held in memory, and instead are paged to disk. If you want to use that setting to actually restrict the maximum size image that can be openend, you also need to set the 'Resource Disk' limit.

下面的代码正确地给出了所拍摄图像炸弹的内存分配错误从这里.

The code below correctly gives a memory allocation error for the image bombs taken from here.

try {
    Imagick::setResourceLimit(Imagick::RESOURCETYPE_AREA, 2000 * 2000);
    Imagick::setResourceLimit(Imagick::RESOURCETYPE_DISK, 2000 * 2000);

    $imagick = new Imagick("./picture-100M-6000x6000.png");
    $imagick->modulateImage(100, 50, 120);
    $imagick->writeImage("./output.png");

    echo "Complete";
}
catch(\Exception $e) {
    echo "Exception: ".$e->getMessage()."\n";
}

输出为:

如果要设置宽度和高度资源，并使用ImageMagick> = 6.9.0-1版本，则应该可以直接使用WidthResource = 9的值，HeightResource = 10

If you want to set the width and height resource, and have a version of ImageMagick >= 6.9.0-1 you should be able to using the values directly of WidthResource = 9, HeightResource = 10

//Set max image width of 2000
Imagick::setResourceLimit(9, 2000);
//Set max image height of 1000
Imagick::setResourceLimit(10, 1000);

这些不必通过编程方式进行设置，您可以通过 policy.xml 与ImageMagick一起安装的文件.如果程序中未设置任何文件，ImageMagick会读取该文件并使用这些设置-这可能是一种更方便的设置方法，因为您可以在每台计算机上进行更改.

These don't have to be set programmatically, you can set them through the policy.xml file installed with ImageMagick. ImageMagick reads that file and uses those settings if none are set in a program - which may be a more convenient way of setting them, as you can change them per machine.

这使您无法在同一过程中处理 .您可以通过在后台任务中运行图像处理来很好地处理它.

It makes it impossible for you to handle it in the same process. You can handle it just fine by running the image processing in a background task.

我个人认为，无论如何，在由Web浏览器直接访问的服务器中使用Imagick都是很疯狂的.将它作为后台任务运行(由类似 http://supervisord.org/进行管理)要安全得多.并通过需要处理的作业队列与该后台任务进行通信.

Personally I think anyway that uses Imagick in a server that is accessed directly by web-browsers is nuts. It is far safer to run it in as a background task (managed by something like http://supervisord.org/) and communicating with that background task via a queue of jobs that need to be processed.

不仅解决了不良图像可能导致我的网站瘫痪"的问题，而且还使监视资源使用情况或将图像处理转移到CPU速度比Web前端服务器更快的计算机上变得更加容易.需求.

Not only does that solve the 'bad images can bring down my website' problem, it also makes it far easier to monitor resource usage, or shift the image processing to a machine with a faster CPU than a web-front end server needs.

来源-我是Imagick扩展程序的维护者，我最近将其添加到了Imagick自述文件中:

Source - I'm the maintainer of the Imagick extension and I recently added this to the Imagick readme:

PHP扩展Imagick通过调用ImageMagick库来工作.尽管ImageMagick开发人员在避免bug时还是非常小心，在代码中不可避免地会出现一些错误.图像魔术还使用了很多第三方库来打开，阅读和操作文件.这些库的作者在编写时也要小心他们的代码.但是每个人都会犯错误，并且不可避免地会有错误出现一些错误.

The PHP extension Imagick works by calling the ImageMagick library. Although the ImageMagick developers take good care in avoiding bugs it is inevitable that some bugs will be present in the code. ImageMagick also uses a lot of third party libraries to open, read and manipulate files. The writers of these libraries also take care when writing their code. However everyone makes mistakes and there will inevitably be some bugs present.

因为使用ImageMagick来处理图像，这是可行的供黑客创建包含无效数据的映像，以尝试利用这些错误.因此，我们建议以下内容:

Because ImageMagick is used to process images it is feasibly possible for hackers to create images that contain invalid data to attempt to exploit these bugs. Because of this we recommend the following:

1)不要在可直接从中访问的服务器中运行Imagick在您的网络之外.最好将其用作背景使用SupervisorD之类的任务或单独运行不能直接在Internet上访问的服务器.

1) Do not run Imagick in a server that is directly accessible from outside your network. It is better to either use it as a background task using something like SupervisorD or to run it in a separate server that is not directly access on the internet.

这样做将使黑客难以利用漏洞，甚至如果ImageMagick使用的库中应该存在一个.

Doing this will make it difficult for hackers to exploit a bug, even if one should exist in the libraries that ImageMagick is using.

2)将其作为特权级别非常低的进程运行.尽可能的Imagick的PHP脚本可访问的文件和系统资源正在被调用，应该被锁定.

2) Run it as a very low privileged process. As much as possible the files and system resources accessible to the PHP script that Imagick is being called from should be locked down.

3)检查图像处理结果是否为有效的图像文件在向用户显示之前.在极不可能的情况下黑客能够通过管道将任意文件传输到Imagick的输出中，检查它是一个图像文件，而不是您的源代码发送的应用程序是明智的预防措施.

3) Check the result of the image processing is a valid image file before displaying it to the user. In the extremely unlikely event that a hacker is able to pipe arbitrary files to the output of Imagick, checking that it is an image file, and not the source code of your application that is being sent, is a sensible precaution.

这篇关于如何使用ImageMagick防止图像炸弹?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！