Add a check that header and load methods agree on the demand hint, and
make sure all loaders pass.
If they disagree, you can get bad performance in some cases, since the
pipeline can be built from the header dhint.
Use the bitwise OR assignment operator to ensure that derived
classes does not overwrite the flags from the base class. Also,
move the flags from `openslideload_source` to its base class.
* quick proposal
warn on startup if untrusted operations might run
use vips_block_untrusted_set() to block untrusted operations, set an env
var or make a file to stop the warning
* mark fits, nifti and svg as untrusted
* remove the annoying "untrusted" warning message
better to warn on the download page
leave vips_block_untrusted_set() since it's obviously useful
* separate UNTRUSTED and BLOCKED
* typos
* add VIPS_BLOCK_UNTRUSTED env var
* move BLOCK_UNTRUSTED after plugin load
obviously, ooops
* add a test, disable *magick
although *magick is fuzzed, it's probably safer to disable it in
untrusted environments
* mark some more operations as untrusted
Use GLib's i18n support instead of copying and pasting that
logic into its own header. This deprecates the vips/intl.h
header in favour of glib/gi18n.h.
When we image_new_from_source, the source object has some of the loader
state: it tracks the current read position of the load library. This
means that we mustn't keep source loaders in the operation cache, since
a second call could give a different result because the source object
read position might have changed.
Also: add a rewind to get_flags_source in spngload, and jp2k needs to
tag its load region as having no thread ownership or you'll get assert
fails in the test suite with debug enabled.