Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Matthew 4 posts 74 karma points
    Dec 04, 2015 @ 00:17
    Matthew
    0

    Umbraco 7.3.3 png.CMD

    Hello,

    I have a couple of Umbraco installs with my shared hosting provider Rackspace Cloud Sites. I upgraded a couple of my sites from version 7.2.1 to version 7.3.3. During this process I was notified by hosting provider that my app was trying to make use of "cmd.exe" which their security policy does not allow. I asked if they wouldn't mind running a procmon to see what exactly was going on and they found lots of failures like the following when just browsing web pages :

    w3wp.exe 2872 Process Create C:\Windows\SysWOW64\cmd.exe SUCCESS PID: 3888, Command line: "cmd" /c png.cmd "C:\Windows\TEMP\tmpB9B3.png"

    and

    w3wp.exe 2872 Process Create C:\Windows\SysWOW64\cmd.exe SUCCESS PID: 5508, Command line: "cmd" /c jpegtran -copy all -optimize -progressive "C:\Windows\TEMP\tmpBC56.jpg" "C:\Windows\TEMP\tmpBC56.jpg"

    I've verified with my hosting provider that blocking of cmd.exe has been in place for over a year. My question is why is this version of Umbraco making use of cmd.exe when it appears previous versions were not? As their security software is blockign these "cmd.exe" commands being issued it would seem I'm missing out on whatever image optimizations that appear to be going on? Any insight into this would be great.

    Thanks, Matt

  • Sebastiaan Janssen 4806 posts 13987 karma points MVP admin hq
    Dec 04, 2015 @ 07:50
    Sebastiaan Janssen
    0

    Umbraco does not do this. Maybe one of your plugins?

  • Matthew 4 posts 74 karma points
    Dec 04, 2015 @ 17:05
    Matthew
    0

    Sebastiaan,

    Thank you so much for your response. Unfortunately I do not run anything beyond the stock Umbraco install. To rule out plugins, I went ahead and installed a fresh version of Umbraco v 7.3.3 and used the Umbraco TXT Responsive Starter Kit.

    When I browse to any page that has an image those images do not load because for some reason the new version (7.3.3) of Umbraco is issuing "cmd.exe" commands against jpg's and png's as far as my research has indicated. To help narrow this down my hosting provider tried to load an image directly such as http://domain.com/media/SampleImages/1060/pic02.jpg while running a procmon

    And the following is received from IIS :

    [Win32Exception (0x80004005): This program is blocked by group policy. For more information, contact your system administrator] System.Diagnostics.Process.StartWithCreateProcess(ProcessStartInfo startInfo) +1789 System.Diagnostics.Process.Start() +6814726 ImageProcessor.Web.PostProcessor.PostProcessor.RunProcess(String sourceFile, Int64 length) +325 ImageProcessor.Web.PostProcessor.

    The associated process that kept this image from loading was :

    w3wp.exe 6920 Process Create C:\Windows\SysWOW64\cmd.exe SUCCESS PID: 7708, Command line: "cmd" /c jpegtran -copy all -optimize -progressive "C:\Windows\TEMP\tmp42D9.jpg" "C:\Windows\TEMP\tmp42D9.jpg"

    To reiterate, this is using the DEFAULT Umbraco install found here : https://our.umbraco.org/contribute/releases/733 and using the default starter kit. Full trust is enabled, and impersonation is enabled although it's interesting to note that it seems to be ignored and rather using the application pool user (this is another topic).

    At this point I've reverted to backups of 7.2.1 as they load images fine and do not have this same problem. Any additional insight you have would be helpful regarding this.

    Thanks, Matt

  • Sebastiaan Janssen 4806 posts 13987 karma points MVP admin hq
    Dec 04, 2015 @ 17:21
    Sebastiaan Janssen
    1

    Certainly that's a plugin in IIS installed by your hosting provider that's doing that?

    Umbraco definitely doesn't do this. :-)

    Source has not mention of the jpegtran thing that is being executed: https://github.com/umbraco/Umbraco-CMS/search?utf8=%E2%9C%93&q=jpegtran

  • Matthew 4 posts 74 karma points
    Dec 04, 2015 @ 18:25
    Matthew
    0

    Sebastiaan,

    Thanks for pointing that out. Upon further investigation It seems that Umbraco ships with a dll called ImageProcessor.dll. This dll is what is causing the the previous "cmd.exe" commands I've been mentioning. It appears I was able to track down the culprit here : https://github.com/JimBobSquarePants/ImageProcessor/blob/V2/src/ImageProcessor.Web/PostProcessor/PostProcessor.cs. As you can see line 48 calls method RunProcess which contains a reference to ProcessStartInfo("cmd"). You'll also see references to jpegtran on lines 150, and 153.

    As workaround I'm currently commenting out the two references to the module "ImageProcessorModule" in the root web.config of my Umbraco installation.

    one in system.web > httpModules

    and another in system.webServer > Modules

    Once I commented these out, my images began loading and I no longer was hitting my hosting providers security policy. Now that we know this I have a few questions.

    My research shows you guys added these references back in release 7.1.6 (https://our.umbraco.org/contribute/releases/716/). According to that post if I don't have those references my images will be cropped?

    1. Is this the cropping issue just one side affect of not making use of the "ImageProcessorModule"?

    2. Is there any reason why you guys havn't looked into deploying version 3 of this image processor module? Version 3 does not appear to make use of "cmd.exe" which seemed a bit wonky to me to begin with.

    Looking forward to your latest response!

    Regards, Matt

  • Sebastiaan Janssen 4806 posts 13987 karma points MVP admin hq
    Dec 04, 2015 @ 18:40
    Sebastiaan Janssen
    0

    Well... That's surprising!

    You can downgrade to ImageProcessor.Web 4.3.6 which does not have this code in it.

    The v3 branch of ImageProcessor is a complete rebuild for ASP.NET 5, the new version of .NET (currently in beta) and won't work on .NET 4.

    Thanks for bringing this to our attention! I'll report the issue with James from ImageProcessor so that we can get it fixed and included in the next release of Umbraco.

    Update: created issue here: https://github.com/JimBobSquarePants/ImageProcessor/issues/268

  • Jeavon Leopold 2992 posts 13040 karma points MVP 5x admin c-trib
    Dec 04, 2015 @ 20:03
    Jeavon Leopold
    1

    I think if you install the configuration package for ImageProcessor you can turn this off with the postProcess="false" setting in Processing.config, see here

    Certainly worth a try!

  • James Jackson-South 488 posts 1734 karma points c-trib
    Dec 06, 2015 @ 07:46
    James Jackson-South
    0

    @Jeavon nailed it.

    http://imageprocessor.org/imageprocessor-web/configuration/#processingconfig

    There's absolutely nothing "wonky" about using "cmd" to do what I am doing and I'd really rather you didn't describe it as such. What I am actually doing is implementing a more advanced version of what Mads Kristensen is doing in Azure Image Optimizer. It's a pretty standard concept.

    http://madskristensen.net/post/automatic-optimization-of-images-css-and-javascript

    There's extensive documentation for ImageProcessor including documentation on the post processor and configuration. I encourage you to read it.

    V3, As, described clearly in the readme, is an attempt at building a cross platform graphics library that will support Corefx. If you had read that readme or looked at the source code. then you would have understood that there is not a module (ImageProcessor is a hell of a lot more than a simple HttpModule btw) in development yet.

  • Matthew 4 posts 74 karma points
    Dec 08, 2015 @ 16:21
    Matthew
    0

    Hi,

    Thanks for considering the enhancement Sebastiaan suggested at https://github.com/JimBobSquarePants/ImageProcessor/issues/268.

    Matt

Please Sign in or register to post replies

Write your reply to:

Draft