This project has moved. For the latest updates, please go here.

Limit image formats on Magick.net

Jun 14, 2016 at 10:30 PM
As per the link below, ImageMagick supports a huge number of file formats.

http://www.imagemagick.org/script/formats.php

This could be a potential attack vector when servers allow visitors to upload any image file format. Is there a way to limit processing to certain formats only?

Example:
MagickReadSettings settings = new MagickReadSettings();
settings.AllowedFormats = "jpg,tiff,gif";
Thank you for your help.
Coordinator
Jun 16, 2016 at 4:21 AM
There is no way to set the allowed formats when reading an image. You can however disable formats by unregistering them:
foreach (var formatInfo in MagickNET.SupportedFormats)
{
  if (formatInfo.Format != MagickFormat.Jpeg &&
      formatInfo.Format != MagickFormat.Tiff &&
      formatInfo.Format != MagickFormat.Gif)
    formatInfo.Unregister();
}
When you do this you won't be able to read or write a .png file so I am not sure if this is what you want.
Jun 16, 2016 at 6:21 AM
Thank you. I am guessing if we add png in the if(formatInfo.Format) code above, we should be able to add support for png in the "approved" format list?

Also would this check affect server speed significantly? Since for each image it would have to (a) first get a list of all supported formats (100+) and (b) then check this huge list with each of the allowed formats in code above? Or would server load for this check (for every image) be negligible?
Coordinator
Jun 16, 2016 at 6:09 PM
You are correct that when you add PNG to the list you will also be able to use that. You should however only call this piece of code once at the start of your application. When you Unregister a format you won't be able to register it again. You will need to restart your application pool to reset this.