Legacy ImageMagick Discussions Archive

Hi,

ImageMagick was working perfectly for me on Heroku up until last month when the following security vulnerability was discovered:
https://imagetragick.com/

In response to it Heroku published the following post:
https://devcenter.heroku.com/changelog-items/891

My Guess is that they added the restrictions I mentioned before in their policy.xml file.
I'm just wondering if there's any other way from what I did to override their HTTPS policy as in my app the discovered vulnerability is irrelevant.

If they added the new policy.xml features, then you can edit them to remove the relevant ones you need to make your commands work.

See http://www.imagemagick.org/source/policy.xml

Yes, that's exactly what I tried to do: I added a new policy.xml file that suppose to override Heroku's policy.xml but for some reason it's not really doing it.

Post your policy.xml file so we can see what you have. Check it with

Code: Select all

convert -list policy

Be sure you are putting it in the correct place. See http://legacy.imagemagick.org/script/resources.php

alonfixler wrote:Hi volx757,

Did it work for you? I'm having the same problem and I tried to do what's suggested here https://gist.github.com/yanowitz/8329d8 ... 04326fd629 but instead of adding the policy configurations mentioned there I added what was suggested here: <policy domain="coder" rights="read | write" pattern="HTTPS" />

running convert -list policy from bash gave the following:

Path: [built-in]
Policy: Undefined
rights: None

Path: ImageMagick/policy.xml
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
Policy: Coder
rights: Read Write Execute
pattern: URL

Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: SHOW
Policy: Coder
rights: None
pattern: WIN
Policy: Coder
rights: None
pattern: PLT

Using imagemagick still fails and I wonder if adding another policy.xml file is the right approach. If it's working for you can you please describe what you did.

Thanks!

What is your IM version? If too old, it does not recognize any policy.xml file.

alonfixler wrote:Hi fmw42,

1. The path to the file I've added can be viewed in my bash output (ImageMagick/policy.xml)
2. I did the suggested restart
3. My exact command is: "convert -resize https://[my file path] 500x300 jpg:-
4. I'm usuing Heroku Cedar-14 stack and my imageMagick version is: 6.7.7-10

Because it stopped working for me after Heroku added a policy.xml disabling HTTPS, I'm assuming the used IM version supports policy.xml files.

I do not think 6.7.7.10 works with policy.xml. It does not list the policy when i do

Code: Select all

im67710 convert -policy

So perhaps they changed it in some other way.

Has anyone resolved this yet? I'm also having the same issue within the last month

You'll have to say what the issue is, and what version you are using.

convert -resize https://[my file path] 500x300 jpg:-

That is malformed command. You need to read the input image before -resize. And you have the resize argument separate form -resize by the input.

try

Code: Select all

convert https://[my file path] -resize 500x300 jpg:-

I can't seem to convert images in heroku anymore using https:// urls. Here's my version, policy, and the convert method. Do you have any suggestions?

Code: Select all

~ $ convert -version
Version: ImageMagick 6.7.7-10 2014-03-06 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2012 ImageMagick Studio LLC
Features: OpenMP

Code: Select all

~ $  convert -list policy

Path: [built-in]
  Policy: Undefined
    rights: None 

Path: /app/vendor/imagemagick/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: Read Write 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL

Path: /etc/ImageMagick/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: None 
    pattern: URL
  Policy: Coder
    rights: None 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL
  Policy: Coder
    rights: None 
    pattern: TEXT
  Policy: Coder
    rights: None 
    pattern: SHOW
  Policy: Coder
    rights: None 
    pattern: WIN
  Policy: Coder
    rights: None 
    pattern: PLT

Code: Select all


~ $ convert https://play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png -resize 300x300 jpg:-
convert.im6: not authorized `//play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png' @ error/constitute.c/ReadImage/454.
convert.im6: no images defined `jpg:-' @ error/convert.c/ConvertImageCommand/3044.
~ $

You have multiple policies. The one at /etc/ImageMagick/policy.xml, which has no HTTP privileges, probably takes precedent over the other one. The one at /app/vendor/imagemagick/policy.xml may not be a valid location. Or perhaps you have two versions of IM. See http://legacy.imagemagick.org/script/resources.php for valid policy locations.

Legacy ImageMagick Discussions Archive

Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick

Re: Issue cropping images on heroku with image magick