stdin for label: and caption: is not recognized

[jens.a.e]

hi,

i am using a convert pipe to render text into a png. we have been using

Code: Select all

convert label:@- output.png

successfully up to version 6.9.1-10. after upgrading to 6.9.2-4 the image suddenly only had '@-' rendered to it - the same goes for just 'label:-' resulting in a '-' rendered.
it does not happen when using the -text option. but the latter is not an option for us, sadly.
unfortunatetly i could not find any related post on the forum. i regard this a bug as it breaks with the same code from one version to another.
i tested this on OS X (homebrew install with 6.9.2-4 as well as --HEAD) as well as on windows (from the binary distributions); same effect. even with the nextgen version 7.0.0.

am i missing something? has the syntax changed to read from standard input? any pointer welcome.

thx in advance!

[fmw42]

I can confirm this on IM 6.9.2.4 Q16 Mac OSX with the following command:

Code: Select all

echo "This is a Test" | convert -size 100x100 label:"@-" show:

[magick]

We can reproduce the problem you posted and have a patch in ImageMagick 6.9.2-5 Beta, available by sometime tomorrow. Thanks.

[jens.a.e]

Saw the commit. Brilliant. Thx!

[androclus]

just FYI, for those arriving here via Google or the local search:

as of today (2016-07-05), I am still getting this errant behavior (title image only looks like "@-") on the latest imagemagick package update available from standard repositories with Ubuntu 16.04 (which is "8:6.8.9.9-7ubuntu5.1").

to get the error out, and after struggling for hours with incorrect docs online, and dependency / delegate issues for PNG, I finally was able to re-compile my own .deb file of ImageMagick-7.0.2-2, using "andrew.46"s answer at

http://askubuntu.com/questions/745660/i ... l-problems

but even that was not quite right:

- i still had to run "./configure" before "make"
- i had to run "sudo ldconfig -v" afterwards to get newly-installed libraries recognized

once my 7.0.2-2 version of ImageMagick was installed, the label:@- works perfectly again.

also, i noticed today that a new imagemagick package came down from Canonical, which replaced my 7.0-based imagemagick .deb with an older buggy version (the one listed above) again. grrrr... so apt will not let me simply reinstall the .deb i built, replying with, "A later version is already installed", even though that "later" version is based on 6.8.9.9-7, and i am trying to install a .deb i made based on 7.0.2-2. *Sigh*. so -- being a neophyte regarding apt -- i was able to get things back to 7.* by re-running checkinstall (as per the help page above) and to rebuild and re-install my custom .deb package. i guess i'll have to do this whenever a new .deb comes down from Canonical -- until this bugfix propogates through to the repos.

[fmw42]

See viewtopic.php?f=4&t=29588&p=132726&hili ... ty#p132726
and
http://www.imagemagick.org/source/policy.xml

[jens.a.e]

So, in short, this means, that it is not possible anymore to run a command like

Code: Select all

convert label:@- output.png

without a policy.xml?

[magick]

Security is a compromise between being secure and usability. If you are not concerned about indirect reads (e.g. convert label:@/etc/passwd ...), remove this policy from your policy.xml configuration file:

• <policy domain="path" rights="none" pattern="@*" />

Your command should work as expected now.

[jens.a.e]

Thanks. I totally welcome the security improvement!

[heyimalex]

The reason I was using '@-' was to avoid needing to escape the strings I want displayed. For example, I want '%b' to literally display '%b' instead of the filesize. I understand that allowing any file is a security issue, but does reading from stdin pose the same risk?

Anyways, like posters above I haven't been able to get '@-' to work even after updating policy.xml. Manually escaping strings turned out to not be too difficult: replacing '%' with '%%' does the trick, and since '@' doesn't work it doesn't need escaping, though it's kind of scary that if there's ever a change and '@' starts working again I'm vulnerable to the same issue that started all of this! Let me know if anyone finds a more bulletproof way to do things.

EDIT: Actually, I just tried running it and the command straight up hangs if you pass an '@' with the restricted policy.xml... Ugh. It looks like the release in ubuntu 16.04 is compiled without '--enable-pipes' so there's no way to get around this without recompiling. Looks like I'm gonna have to write some c today...

EDIT2: Ok, getting caption to work with magickwand looked hard so I took a second shot at escaping. Apparently backslashes work to escape, so this pseudocode should do the trick

Code: Select all

unescaped = '@ %b \%%b '
escaped = unescaped.replace('\', '\\').replace('%', '\%')
if (escaped[0] == '@') {
  escaped = '\' + escaped
}