Git Product home page Git Product logo

imagick / php-src Goto Github PK

View Code? Open in Web Editor NEW

This project forked from php/php-src

0.0 0.0 0.0 503.44 MB

The PHP Interpreter

Home Page: https://www.php.net

License: Other

Shell 0.26% JavaScript 0.17% C++ 0.31% C 73.16% PHP 25.03% Lua 0.24% Assembly 0.18% Awk 0.01% XSLT 0.01% GAP 0.02% Makefile 0.03% HTML 0.01% DTrace 0.01% Batchfile 0.01% Yacc 0.08% Lex 0.09% M4 0.37% GDB 0.01% Roff 0.03%

php-src's Introduction

Build status

Build status

🌈🌈 Imagick 🌈🌈

Imagick is a PHP extension to create and modify images using the ImageMagick library. There is also a version of Imagick available for HHVM. Although the two extensions are mostly compatible in their API, and they both call the ImageMagick library, the two extensions are completely separate code-bases.

PHP Imagick

Bugs can also be reported at https://bugs.php.net but may have a slower response time.

HHVM Imagick

Installation on Linux

The best way of installing Imagick is through a package manager e.g. apt, yum, brew, as they will also install ImageMagick for you.

If you need to compile Imagick from source, first you should install ImageMagick, at least version 6.2.4 but it is STRONGLY recommended to use a more recent version due to the many bug fixes in it.

Once ImageMagick is installed, the following commands will compile and install Imagick:

git clone https://github.com/Imagick/imagick
cd imagick
phpize && ./configure
make
make install

You will also need to add extension=imagick.so to your PHP ini file to make PHP load the extension.

Installing on Windows

For Windows please install both Imagick and the underlying ImageMagick library from:

Once compiled, Imagick should be run with the same version of ImageMagick that it was compiled against. Running against a different version of ImageMagick is known to cause stability issues, and so is not recommended or supported.

NixOS

If using Imagick on NixOS, you probably want to define FONTCONFIG_FILE to avoid a warning message when loading fonts, and MAGICK_CONFIGURE_PATH to have all the information available from Imagick::getConfigureOptions().

Examples

Almost all of the functions in the library have an example at www.phpimagick.com, where you can see the example code to call the function, as well as the generated image or output.

ImageMagick

ImageMagick, the library that the Imagick extension exposes to PHP has had many bug fixes, that have fixed many image corruption issues. We strongly recommend upgrading to the latest version (greater than 6.9.1 or 7.x) if at all possible.

Security

The PHP extension Imagick works by calling the ImageMagick library. Although the ImageMagick developers take good care in avoiding bugs it is inevitable that some bugs will be present in the code. ImageMagick also uses a lot of third party libraries to open, read and manipulate files. The writers of these libraries also take care when writing their code. However everyone makes mistakes and there will inevitably be some bugs present.

Because ImageMagick is used to process images it is feasibly possible for hackers to create images that contain invalid data to attempt to exploit these bugs. Because of this we recommend the following:

  1. Do not run Imagick in a server that is directly accessible from outside your network. It is better to either use it as a background task using something like SupervisorD or to run it in a separate server that is not directly accessible on the internet.

Doing this will make it more difficult for hackers to exploit a bug, if one should exist in the libraries that ImageMagick is using.

  1. Run it as a very low privileged process. As much as possible the files and system resources accessible to the PHP script that Imagick is being called from should be locked down.

  2. Verify that all image files begin with the expected "magic bytes" corresponding to the image file types you support before sending them to ImageMagick for processing. This an be be done with finfo_file() - see below.

  3. Check the result of the image processing is a valid image file before displaying it to the user. In the extremely unlikely event that a hacker is able to pipe arbitrary files to the output of Imagick, checking that it is an image file, and not the source code of your application that is being sent, is a sensible precaution. This can be accomplished by the following code:

<?php
	$finfo = finfo_open(FILEINFO_MIME_TYPE);
	$mimeType = finfo_file($finfo, $filename);
	
	$allowedMimeTypes = [
		'image/gif',
		'image/jpeg',
		'image/jpg',
		'image/png'
	];
	
	if (in_array($mimeType, $allowedMimeTypes) == false) {
		throw new \SecurityException("Was going to send file '$filename' to the user, but it is not an image file.");
	}
  1. NEVER directly serve any files that have been uploaded by users directly through PHP, instead either serve them through the webserver, without invoking PHP, or use readfile to serve them within PHP.

These recommendations do not guarantee any security, but they should limit your exposure to any Imagick/ImageMagick related security issue.

OpenMP

ImageMagick has the ability to use the Open Multi-Processing API to be able to use multiple threads to process an image at once. Some implementations of OpenMP are known to have stability issues when they are used in certain environments.

We recommend doing one of the following:

  • Disabling OpenMP support in ImageMagick by compiling it with the compile flag "--disable-openmp" set.

  • Disable the use of threads in ImageMagick via Imagick by calling: Imagick::setResourceLimit(\Imagick::RESOURCETYPE_THREAD, 1); or Imagick::setResourceLimit(6, 1); if your version of Imagick does not contain the RESOURCETYPE_THREAD constant.

  • Disable the use of threads in ImageMagick by setting the thread resource limit in ImageMagick' policy.xml file with <policy domain="resource" name="thread" value="1"/> This file is possibly located at /etc/ImageMagick-6/policy.xml or similar location.

  • If you do want to use OpenMP in ImageMagick when it's called through Imagick, you should test thoroughly that it behaves correctly on your server.

TODO

Documentation needs a lot of work. There is an online editor here: https://edit.php.net/ Contributions are more than welcome.

Please refer to http://abi-laboratory.pro/tracker/timeline/imagemagick/ for exact version changes of the underlying ImageMagick library.

php-src's People

Contributors

bjori avatar bukka avatar bwoebi avatar cjbj avatar cmb69 avatar derickr avatar dstogov avatar faizshukri avatar felipensp avatar girgias avatar helly25 avatar iluuu1994 avatar johannes avatar kallez avatar kocsismate avatar krakjoe avatar laruence avatar nikic avatar petk avatar pierrejoye avatar remicollet avatar rlerdorf avatar sgolemon avatar smalyshev avatar stigsb avatar tony2001 avatar tyrael avatar weltling avatar wez avatar zsuraski avatar

Watchers

 avatar

php-src's Issues

add mysql-specific warning count function

Description

https://github.com/php/php-src/pull/6677/files


Viewed
@@ -0,0 +1,22 @@
--TEST--
MySQL PDO->mysqlGetWarningCount()
--SKIPIF--
<?php
require_once(__DIR__ . DIRECTORY_SEPARATOR . 'skipif.inc');
require_once(__DIR__ . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc');
MySQLPDOTest::skip();
?>
--FILE--
<?php
	require_once(__DIR__ . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc');
	$db = MySQLPDOTest::factory();
	$assertWarnings = function ($db, $q, $count) {
		$db->query($q);
		printf("Query %s produced %d warnings\n", $q, $db->mysqlGetWarningCount());
	};
	$assertWarnings($db, 'SELECT 1 = 1', 0);
	$assertWarnings($db, 'SELECT 1 = "A"', 1);
?>
--EXPECT--
Query SELECT 1 = 1 produced 0 warnings
Query SELECT 1 = "A" produced 1 warnings



/* {{{ proto string PDO::mysqlGetWarningCount()
   Returns the number of SQL warnings during the execution of the last statement */
static PHP_METHOD(PDO, mysqlGetWarningCount)
{
	pdo_dbh_t *dbh;
	pdo_mysql_db_handle *H;

	dbh = Z_PDO_DBH_P(ZEND_THIS);
	PDO_CONSTRUCT_CHECK;

	H = (pdo_mysql_db_handle *)dbh->driver_data;
	RETURN_LONG(mysql_warning_count(H->server));
}
/* }}} */

static const zend_function_entry dbh_methods[] = {
	PHP_ME(PDO, mysqlGetWarningCount, NULL, ZEND_ACC_PUBLIC)
	PHP_FE_END
};

static const zend_function_entry *pdo_mysql_get_driver_methods(pdo_dbh_t *dbh, int kind)
{
	switch (kind) {
		case PDO_DBH_DRIVER_METHOD_KIND_DBH:
			return dbh_methods;
		default:
			return NULL;
	}
}

/* {{{ pdo_mysql_request_shutdown */
static void pdo_mysql_request_shutdown(pdo_dbh_t *dbh)
{
@@ -625,7 +655,7 @@ static const struct pdo_dbh_methods mysql_methods = {
	pdo_mysql_fetch_error_func,
	pdo_mysql_get_attribute,
	pdo_mysql_check_liveness,
	NULL,
	pdo_mysql_get_driver_methods,
	pdo_mysql_request_shutdown,
	pdo_mysql_in_transaction,
	NULL /* get_gc */

Postgres has a special thing I don't understand.

Description

But this seems to be quite chaotic, reading
https://secure.php.net/manual/en/pdostatement.bindcolumn.php

"Since information about the columns is not always available to PDO
until the statement is executed, portable applications should call this
function after PDOStatement::execute().

However, to be able to bind a LOB column as a stream when using the
PgSQL driver, applications should call this method before calling
PDOStatement::execute(), otherwise the large object OID will be returned
as an integer."

Add PDOSQLIte extension dir

Description

e.g. extension_dir

extension_dir = SQLITE3G(extension_dir);
extension_dir_len = strlen(SQLITE3G(extension_dir));

PHP Version

asd

Operating System

asd

todo list

Description

  1. Add PDOSqlite stub.

  2. Create PDOSqlite class.

2a. Check it exists.

  1. Create a PDO::connect function.

  2. Extract the code that is in PDO::__construct to be used elsewhere, probably.

  3. Detect whether PDO is connecting to SQLite.

  4. Return an PDOSqlite class if it is.

  5. Implement PDOSqlite::openBlob

  6. Create PDOPostgres ?

  7. Find Postgres specific methods.

  8. Make all relevant classes only registered if their corresponding driver is loaded?

Sqlite constants to expose

Description

tbh, I might leave this out, and have a follow up RFC...

#define SQLITE_UTF8           1    /* IMP: R-37514-35566 */
#define SQLITE_UTF16LE        2    /* IMP: R-03371-37637 */
#define SQLITE_UTF16BE        3    /* IMP: R-51971-34154 */
#define SQLITE_UTF16          4    /* Use native byte order */
#define SQLITE_ANY            5    /* Deprecated */
#define SQLITE_UTF16_ALIGNED  8    /* sqlite3_create_collation only */

Document words from nikic

Description

For backwards-compatibility reasons, we'd presumably still have to retain the ability to call those methods on the plain PDO object though :( But at least there would be a way to use it in a sensible way in new code. In particular this also allows you to write things like:

if ($pdo instanceof PDOSqlite) {
    $pdo->loadExtension(...);
}

PDOMysql subclass

Description

Your task, should you choose to accept it...

  1. Create a stub class for a PDOMysql class in the pdo_mysql directory, containing an class that just extends PDO.

  2. Get that compiling, which I think should be done by just adding #include "pdo_mysql_arginfo.h" in pdo_mysql.c. Edit - actually the first time I think you need to run php build/gen_stub.php after adding the stub file, to generate the arginfo header file. After that has been done once, and the c file that includes it is compiled, the arginfo file will be regenerated automatically.

  3. Actually register the class somewhere in the PHP_MINIT_FUNCTION function in pdo_mysql.c. If you look in the file pdo_sqlite.c to see what I've done there, including the horribly hacky static pdo_driver_class_entry pdosqlite_pdo_driver_class_entry;

  4. Copy and rename the tests pdosqlite_001.phpt and pdosqlite_002.phpt from the path ext/pdo_sqlite/tests/subclasses and put them in an equivalent place in the pdo_mysql directory. Delete all sqlite specific stuff, so that you're just testing that the PDOMysql class exists and works as expected.

There is a mysql specific method that could be added, some details of which are in #13 to do that you'd need to

  1. Add the method entry to the stub file. I think the method signature should just be getWarningCount(): int. Doing that will give an error as you also need to create the class method is C....

  2. Create a file called pdo_mysql_class.c in the pdo_mysql directory, and add the file name to the file php-src/ext/pdo_mysql/config.m4 on the line that contains PHP_NEW_EXTENSION where the other C files are listed. This will require another ./buildconf . Not sure if it would require a make clean.

  3. Add the code from the static PHP_METHOD(PDO, mysqlGetWarningCount) from the link above (but change the method name as it doesn't need 'mysql'), and also add the test.

sqlite::blobOpen

Description

Copy the code from php#2698

Function signature is:

PDOSqlite::openBlob(string $table , string $column , int $rowid [, string $dbname = β€œmain” [, int $flags = PDO::SQLITE_OPEN_READONLY ]] )

DB specific functions to move

Description

Postgres

pgsqlCopyFromArray
pgsqlCopyFromFile
pgsqlCopyToArray
pgsqlCopyToFile
pgsqlGetNotify
pgsqlGetPid
pgsqlLOBCreate
pgsqlLOBOpen
pgsqlLOBUnlink

SQLIte

PDO::sqliteCreateAggregate β€” Registers an aggregating User Defined Function for use in SQL statements
PDO::sqliteCreateCollation β€” Registers a User Defined Function for use as a collating function in SQL statements
PDO::sqliteCreateFunction β€” Registers a User Defined Function for use in SQL statements

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    πŸ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. πŸ“ŠπŸ“ˆπŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❀️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.