Security Policy: Change in Behavior

Announcements pertaining to ImageMagick, or ImageMagick related software. This list is moderated. No discussions here, instead post to the users group instead.
Post Reply
User avatar
magick
Site Admin
Posts: 11064
Joined: 2003-05-31T11:32:55-07:00

Security Policy: Change in Behavior

Post by magick »

We saw a need for improving the security policy behavior. Prior to ImageMagick 7.0.4-7 and 6.9.7-7, any one coder rule that did not grant permission to a particular coder, denied the use of that coder. Now rules are processed in order. For example, suppose we want to restrict ImageMagick to only read or write a small subset of proven web-safe image types:

Code: Select all

<policy domain="delegate" rights="none" pattern="*" />
<policy domain="coder" rights="none" pattern="*" />
<policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
Yoya has a detailed blog describing the security policy behavior change @ https://blog.awm.jp/2017/02/09/imagemagick-en/.
Post Reply