Security
========
The authors & contributors of the :mod:`Wand` module, ImageMagick library, and
all the third party image delegates make a genuine effort to release stable
code. However there is a trade off between convenience & secure environment,
and everyone makes honest mistakes. Ensure you're using the latest library
versions, and the system is up to date with security patches. If you are using
:mod:`Wand` to process images from the public, then you **must** be more
vigilant.
- Never use :mod:`Wand` directly within a HTTP service, or on any server with
public access. A simple queue based background worker can be used.
For example: `Celery`_, `Redis`_, or Amazon's `SQS`_, but there are many
others.
- Update the ``policy.xml`` on the system, and reduce the resource limits to
something reasonable to your system.
.. code:: xml
- Update the ``policy.xml`` on the system to restrict any formats that are
unused, or have a history of abuse.
.. code:: xml
- Check the "`magick bytes`_" of all untrusted files before processing. Never
assume that the file extension suffix, or mimetype is good enough.
For example::
def assert_png(filename):
"""Ensure the file at a give path has the PNG magick-number
header. Throw an `AssertionError` if it does not match.
"""
PNG_HEADER = [
0x89, 0x50, 0x4E, 0x47,
0x0D, 0x0A, 0x1A, 0x0A
]
with open(filename, 'rb') as fd:
file_header = list(fd.read(8))
assert file_header == PNG_HEADER
try:
assert_png(user_file)
with Image(filename='png:'+user_file) as img:
# ... do work ...
except AssertionError:
# ... handle exception ...
- Ensure that any Python code is invoked with a low-privileged system user.
- Ensure filenames are sanitized.
- Ensure filenames are prefixed with coder protocol.
.. code::
with Image(filename='png:input.png') as img:
# ... do work ...
- Ensure error handling is in place. Expect
:class:`~wand.exceptions.PolicyError`
exceptions if a file-format was banned, and
:class:`~wand.exceptions.ResourceLimitError` if the system
is unable to allocate additional memory/disk resources.
Both can be configured by the :file:`policy.xml` listed above.
.. _Celery: http://www.celeryproject.org/
.. _Redis: https://redis.io/
.. _SQS: https://aws.amazon.com/sqs/
.. _magick bytes: https://en.wikipedia.org/wiki/Magic_number_(programming)#Format_indicators