# default to read mode ('<') unless input is a pipe My ($self, $fh, $file, $mode) =~ s/^()/./$1/ # protect leading whitespace or ampersand When the mode is not set and the last character is a |, Perl's two argument open will execute the command and "open" the command's output for reading, in this case to allow the gzip or bzip2 wrapper. $pipe is eventually passed to Open in lib/Image/ExifTool.pm, which sets the file mode to read only ( <), unless the last character is |. # pipe through gzip or bzip2 if necessary The code for this is GetImageInfo in exiftool: sub GetImageInfo($$) DescriptionĮxiftool is a "a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files." One of its features is being able to read metadata of compressed images. If the filename passed to exiftool ends with a pipe character | and exists on the filesystem, then the file will be treated as a pipe and executed as an OS command. Exiftool versions < 12.38 are vulnerable to Command Injection through a crafted filename.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |