Issue cropping images on heroku with image magick

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
alonfixler
Posts: 8
Joined: 2016-05-28T10:44:03-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by alonfixler » 2016-06-04T10:35:24-07:00

Hi,

ImageMagick was working perfectly for me on Heroku up until last month when the following security vulnerability was discovered:
https://imagetragick.com/

In response to it Heroku published the following post:
https://devcenter.heroku.com/changelog-items/891

My Guess is that they added the restrictions I mentioned before in their policy.xml file.
I'm just wondering if there's any other way from what I did to override their HTTPS policy as in my app the discovered vulnerability is irrelevant.

User avatar
fmw42
Posts: 23892
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 » 2016-06-04T14:13:01-07:00

If they added the new policy.xml features, then you can edit them to remove the relevant ones you need to make your commands work.

See http://www.imagemagick.org/source/policy.xml

alonfixler
Posts: 8
Joined: 2016-05-28T10:44:03-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by alonfixler » 2016-06-05T23:01:31-07:00

Yes, that's exactly what I tried to do: I added a new policy.xml file that suppose to override Heroku's policy.xml but for some reason it's not really doing it.

User avatar
fmw42
Posts: 23892
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 » 2016-06-06T09:34:54-07:00

Post your policy.xml file so we can see what you have. Check it with

Code: Select all

convert -list policy
Be sure you are putting it in the correct place. See http://legacy.imagemagick.org/script/resources.php

alonfixler
Posts: 8
Joined: 2016-05-28T10:44:03-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by alonfixler » 2016-06-06T10:07:24-07:00

alonfixler wrote:Hi volx757,

Did it work for you? I'm having the same problem and I tried to do what's suggested here https://gist.github.com/yanowitz/8329d8 ... 04326fd629 but instead of adding the policy configurations mentioned there I added what was suggested here: <policy domain="coder" rights="read | write" pattern="HTTPS" />

running convert -list policy from bash gave the following:

Path: [built-in]
Policy: Undefined
rights: None

Path: ImageMagick/policy.xml
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
Policy: Coder
rights: Read Write Execute
pattern: URL

Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: SHOW
Policy: Coder
rights: None
pattern: WIN
Policy: Coder
rights: None
pattern: PLT


Using imagemagick still fails and I wonder if adding another policy.xml file is the right approach. If it's working for you can you please describe what you did.

Thanks!

User avatar
fmw42
Posts: 23892
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 » 2016-06-06T10:54:24-07:00

What is your IM version? If too old, it does not recognize any policy.xml file.

alonfixler
Posts: 8
Joined: 2016-05-28T10:44:03-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by alonfixler » 2016-06-06T14:20:55-07:00

alonfixler wrote:Hi fmw42,

1. The path to the file I've added can be viewed in my bash output (ImageMagick/policy.xml)
2. I did the suggested restart
3. My exact command is: "convert -resize https://[my file path] 500x300 jpg:-
4. I'm usuing Heroku Cedar-14 stack and my imageMagick version is: 6.7.7-10

Because it stopped working for me after Heroku added a policy.xml disabling HTTPS, I'm assuming the used IM version supports policy.xml files.

User avatar
fmw42
Posts: 23892
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 » 2016-06-06T14:50:55-07:00

I do not think 6.7.7.10 works with policy.xml. It does not list the policy when i do

Code: Select all

im67710 convert -policy
So perhaps they changed it in some other way.

iamakimmer
Posts: 2
Joined: 2016-06-16T00:01:15-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by iamakimmer » 2016-06-16T00:02:45-07:00

Has anyone resolved this yet? I'm also having the same issue within the last month

snibgo
Posts: 10720
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Issue cropping images on heroku with image magick

Post by snibgo » 2016-06-16T02:08:39-07:00

You'll have to say what the issue is, and what version you are using.
snibgo's IM pages: im.snibgo.com

User avatar
fmw42
Posts: 23892
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 » 2016-06-16T09:25:35-07:00

convert -resize https://[my file path] 500x300 jpg:-
That is malformed command. You need to read the input image before -resize. And you have the resize argument separate form -resize by the input.

try

Code: Select all

convert https://[my file path] -resize 500x300 jpg:-

iamakimmer
Posts: 2
Joined: 2016-06-16T00:01:15-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by iamakimmer » 2016-06-20T20:54:04-07:00

I can't seem to convert images in heroku anymore using https:// urls. Here's my version, policy, and the convert method. Do you have any suggestions?

Code: Select all

~ $ convert -version
Version: ImageMagick 6.7.7-10 2014-03-06 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2012 ImageMagick Studio LLC
Features: OpenMP    

Code: Select all

~ $  convert -list policy

Path: [built-in]
  Policy: Undefined
    rights: None 

Path: /app/vendor/imagemagick/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: Read Write 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL

Path: /etc/ImageMagick/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: None 
    pattern: URL
  Policy: Coder
    rights: None 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL
  Policy: Coder
    rights: None 
    pattern: TEXT
  Policy: Coder
    rights: None 
    pattern: SHOW
  Policy: Coder
    rights: None 
    pattern: WIN
  Policy: Coder
    rights: None 
    pattern: PLT

Code: Select all


~ $ convert https://play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png -resize 300x300 jpg:-
convert.im6: not authorized `//play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png' @ error/constitute.c/ReadImage/454.
convert.im6: no images defined `jpg:-' @ error/convert.c/ConvertImageCommand/3044.
~ $ 

User avatar
fmw42
Posts: 23892
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 » 2016-06-20T21:04:36-07:00

You have multiple policies. The one at /etc/ImageMagick/policy.xml, which has no HTTP privileges, probably takes precedent over the other one. The one at /app/vendor/imagemagick/policy.xml may not be a valid location. Or perhaps you have two versions of IM. See http://legacy.imagemagick.org/script/resources.php for valid policy locations.

Post Reply