Page 1 of 2

Issue cropping images on heroku with image magick

Posted: 2016-05-10T10:37:16-07:00
by volx757
Hi,
I get the following error in production on Heroku in my Rails app when trying to crop/upload photos to Amazon S3 using ImageMagick:

Magick::ImageMagickError: not authorized `//s3.amazonaws.com/[LONG URL PATH HERE]' @ error/constitute.c/ReadImage/454


I've been trying various proposed fixes related to the security vulnerability that was just discovered a couple days ago. I tried the suggestions at this link (and variations of it):
https://gist.github.com/yanowitz/8329d8 ... 04326fd629

But nothing seems to allow our site to crop/upload images anymore. I've been searching all over for information on this, but it seems like it's not very well documented, perhaps because it's new.

Do you have any ideas how I could fix this?
Thanks

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-10T10:58:21-07:00
by snibgo
What ImageMagick command was issued? It looks as if it was trying to read or write over http or https and, whichever it was, has been denied authority by the security policy.

So you have the choice of either changing the policy to authorise that access, or reorganising the work so IM operates only locally. So you would download using wget or similar, then do the IM work, then upload with wput or similar.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-10T11:05:56-07:00
by volx757
The command was a read:
Magick::Image::read(photo_url)

So if I change my policy.xml file to include this line:
<policy domain="coder" rights="read | write" pattern="HTTPS" />

should that fix the 'not authorized' error?
thanks.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-10T11:29:18-07:00
by snibgo
I expect it will. Try it and see!

You should be aware of any security implications.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T10:50:42-07:00
by alonfixler
Hi volx757,

Did it work for you? I'm having the same problem and I tried to do what's suggested here https://gist.github.com/yanowitz/8329d8 ... 04326fd629 but instead of adding the policy configurations mentioned there I added what was suggested here: <policy domain="coder" rights="read | write" pattern="HTTPS" />

running convert -list policy from bash gave the following:

Path: [built-in]
Policy: Undefined
rights: None

Path: ImageMagick/policy.xml
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
Policy: Coder
rights: Read Write Execute
pattern: URL

Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: SHOW
Policy: Coder
rights: None
pattern: WIN
Policy: Coder
rights: None
pattern: PLT


Using imagemagick still fails and I wonder if adding another policy.xml file is the right approach. If it's working for you can you please describe what you did.

Thanks!

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T10:54:03-07:00
by fmw42
What was the path to the file you edited?

Did you do the suggested restart?

What was your exact command?

What version of Imagemagick and what platform?

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T11:10:21-07:00
by alonfixler
Hi fmw42,

1. The path to the file I've added can be viewed in my bash output (ImageMagick/policy.xml)
2. I did the suggested restart
3. My exact command is: "convert -resize https://[my file path] 500x300 jpg:-
4. I'm usuing Heroku Cedar-14 stack and my imageMagick version is: 6.7.7-10

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T11:57:19-07:00
by snibgo
alonfixler wrote:Using imagemagick still fails ...
How does it fail? Any error message? What goes wrong?

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T12:08:01-07:00
by alonfixler
The same error that volx757 got: not authorized error due to removal of https prefix in my srcPath image.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T12:18:13-07:00
by snibgo
You have:

Code: Select all

Path: /etc/ImageMagick/policy.xml
:
Policy: Coder
rights: None
pattern: HTTPS
So you have no rights to HTTPS.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T12:24:17-07:00
by alonfixler
Yes, but if you'll notice I've added another policy.xml file in which I have the following:

Policy: Coder
rights: Read Write Execute
pattern: HTTPS

I'm quite sure that Read is enough for me but just for now I added them all.

The thing is that it seems that right now I have 2 policy.xml files: Heroku's default one and the one I've added. Considering the fact that I still get the error message I assume that the default one overrides mine and not the opposite so I don't know if that's the right approach.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T12:33:11-07:00
by fmw42
convert -resize https://[my file path] 500x300 jpg:-
Bad syntax:

You have the resize arguments separated from -resize by the input file. Furthermore the input file should be read before -resize.

Also 6.7.7.10 is ancient and long before the policy.xml file was affected by the security changes. Have they been modified to add these security restrictions.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T12:41:28-07:00
by snibgo
The purpose of a policy file isn't really to grant rights, but to remove them. Otherwise, users could add their own policy file to give themselves more rights than were generally permitted.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T12:42:51-07:00
by fmw42
Imagemagick does not look at /etc/Imagemagick to find the policy. See http://legacy.imagemagick.org/script/resources.php regarding $PREFIX/etc/Imagemagick-6 or <client path>etc/Imagemagick-6. Not sure if -6 was used for your older 6.7.7.10

On my Mac OSX,

Code: Select all

find /usr | grep "policy.xml"
/usr/local/etc/ImageMagick-6/policy.xml

where $PREFIX is /usr/local as described in the link.

Re: Issue cropping images on heroku with image magick

Posted: 2016-05-28T12:54:20-07:00
by fmw42
alonfixler wrote:The same error that volx757 got: not authorized error due to removal of https prefix in my srcPath image.
Was this an Imagemagick error? Could it be that Heroku is limiting its use?