问题
I am writing a discussion board software that will have "avatar" images for the users. I want to resize any picture that gets uploaded to a reasonable size. I could easily do that with System.Drawing but that is relying on GDI+ which has hat security problems before. The problem is that the images are untrusted. So I thought of using a fully managed lib to solve that problem because managed code cannot escape the sandbox (of course it can, but only if the code is user-supplied which it is not in my case). So does anybody know of a managed image parser library for JPEG, BMP, PNG and GIF? If some format is missing than I will have to live with that.
Edit: Paint.NET also relies on GDI+.
You might be interested in the discussion below, too.
回答1:
What about VintaSoftImaging.NET? It's a fully-managed .NET library that can resize/resample various image formats (and much more).
It's certainly not the case that all image libraries have unmanaged code--image decoders are written in whatever language the author feels like writing them in. And some do feel like writing them in a managed language; for example, there's also LibTiff.NET and LibJpeg.NET, both 100% managed code. Those are strictly codec libraries though, and won't do any resizing.
回答2:
The appropriate way of sandboxing image processing is to run ImageMagick's convert in a separate process with no permissions nor disk access.
The lack of managed code for image parsing is because image parsing is usually performance sensitive. Dave Huang's answer outlines some managed libraries - presumably they are quite slow. There have been examples e.g. compiling libjpeg to Flash (they say it's fast, but that just reflects how low they set their expectations ;) ) using their Alchemy, and you could perhaps undertake the same thing for .NET.
回答3:
Well, what do you prefer? Do you want to use a library that has been put to the test by billions of hack attacks, found wanting but patched up? Or do you prefer some obscure library that hasn't been exposed to such attacks? Yet.
There is zero security in obscurity.
回答4:
Why not dodge the whole question and use Gravatar for your avatar images?
来源:https://stackoverflow.com/questions/3052233/looking-for-a-managed-image-parser-library-jpeg-bmp-png-gif