[rt.cpan.org #68910] write a brief security overview

diff --git a/Imager.pm b/Imager.pm
index 7650a46e9479bda73d82f1d3b98ccd73e43fcb8a..8dd3e8b8004629f1ae3900f4b1d28f5eb1ef3e8d 100644 (file)
--- a/Imager.pm
+++ b/Imager.pm
@@ -4364,6 +4364,10 @@ L<Imager::Inline> - using Imager's C API from Inline::C
 
 L<Imager::ExtUtils> - tools to get access to Imager's C API.
 
+=item *
+
+L<Imager::Security> - brief security notes.
+
 =back
 
 =head2 Basic Overview
@@ -4785,6 +4789,8 @@ saving an image - L<Imager::Files>
 
 scaling - L<Imager::Transformations/scale()>
 
+security - L<Imager::Security>
+
 SGI files - L<Imager::Files/"SGI (RGB, BW)">
 
 sharpen - L<Imager::Filters/unsharpmask>, L<Imager::Filters/conv>

diff --git a/MANIFEST b/MANIFEST
index 83b363703b9444ad23be9c16da9b418c06e44a5a..67abad36070dbbd4a20d7648b679f901f43511e1 100644 (file)
--- a/MANIFEST
+++ b/MANIFEST
@@ -197,6 +197,7 @@ lib/Imager/Preprocess.pm
 lib/Imager/Probe.pm            Library probes
 lib/Imager/regmach.pod
 lib/Imager/Regops.pm
+lib/Imager/Security.pod
 lib/Imager/Test.pm
 lib/Imager/Transform.pm
 lib/Imager/Transformations.pod

diff --git a/lib/Imager/Security.pod b/lib/Imager/Security.pod
new file mode 100644 (file)
index 0000000..f0afa55
--- /dev/null
+++ b/lib/Imager/Security.pod
@@ -0,0 +1,74 @@
+=head1 NAME
+
+Imager::Security - brief notes on security and image processing
+
+=head1 SYNOPSIS
+
+  # keep abreast of security updates
+  apt-get update && apt-get upgrade
+  yum upgrade
+  pkgin update && pkgin upgrade
+  # or local equivalent
+
+  # limit memory use
+  use Imager;
+  # only images that use up to 10MB
+  Imager->set_file_limits(bytes => 10_000_000);
+
+=head1 DESCRIPTION
+
+There's two basic security considerations when dealing with images
+from an unknown source:
+
+=over
+
+=item *
+
+keeping your libraries up to date
+
+=item *
+
+limiting the amount of memory used to store images
+
+=back
+
+=head2 Keeping libraries up to date
+
+Image file format libraries such as C<libpng> or C<libtiff> have
+relatively frequent security updates, keeping your libraries up to
+date is basic security.
+
+If you're using user supplied fonts, you will need to keep your font
+libraries up to date too.
+
+=head2 Limiting memory used
+
+With compression, and especially with pointer formats like TIFF, it's
+possible to store very large images in a relatively small file.
+
+If you're receiving image data from an untrusted source you should
+limit the amount of memory that Imager can allocate for a read in
+image file using the C<set_file_limits()> method.
+
+  Imager->set_file_limits(bytes => 10_000_000);
+
+You may also want to limit the maximum width and height of images read
+from files:
+
+  Imager->set_file_limits(width => 10_000, height => 10_000,
+                          bytes => 10_000_000);
+
+This has no effect on images created without a file:
+
+  # succeeds
+  my $image = Imager->new(xsize => 10_001, ysize => 10_001);
+
+You can reset to the defaults with:
+
+  Imager->set_file_limits(reset => 1);
+
+=head1 AUTHOR
+
+Tony Cook <tonyc@cpan.org>
+
+=cut