Issue cropping images on heroku with image magick

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
volx757
Posts: 2
Joined: 2016-05-10T10:32:20-07:00
Authentication code: 1151

Issue cropping images on heroku with image magick

Post by volx757 »

Hi,
I get the following error in production on Heroku in my Rails app when trying to crop/upload photos to Amazon S3 using ImageMagick:

Magick::ImageMagickError: not authorized `//s3.amazonaws.com/[LONG URL PATH HERE]' @ error/constitute.c/ReadImage/454


I've been trying various proposed fixes related to the security vulnerability that was just discovered a couple days ago. I tried the suggestions at this link (and variations of it):
https://gist.github.com/yanowitz/8329d8 ... 04326fd629

But nothing seems to allow our site to crop/upload images anymore. I've been searching all over for information on this, but it seems like it's not very well documented, perhaps because it's new.

Do you have any ideas how I could fix this?
Thanks
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Issue cropping images on heroku with image magick

Post by snibgo »

What ImageMagick command was issued? It looks as if it was trying to read or write over http or https and, whichever it was, has been denied authority by the security policy.

So you have the choice of either changing the policy to authorise that access, or reorganising the work so IM operates only locally. So you would download using wget or similar, then do the IM work, then upload with wput or similar.
snibgo's IM pages: im.snibgo.com
volx757
Posts: 2
Joined: 2016-05-10T10:32:20-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by volx757 »

The command was a read:
Magick::Image::read(photo_url)

So if I change my policy.xml file to include this line:
<policy domain="coder" rights="read | write" pattern="HTTPS" />

should that fix the 'not authorized' error?
thanks.
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Issue cropping images on heroku with image magick

Post by snibgo »

I expect it will. Try it and see!

You should be aware of any security implications.
snibgo's IM pages: im.snibgo.com
alonfixler
Posts: 8
Joined: 2016-05-28T10:44:03-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by alonfixler »

Hi volx757,

Did it work for you? I'm having the same problem and I tried to do what's suggested here https://gist.github.com/yanowitz/8329d8 ... 04326fd629 but instead of adding the policy configurations mentioned there I added what was suggested here: <policy domain="coder" rights="read | write" pattern="HTTPS" />

running convert -list policy from bash gave the following:

Path: [built-in]
Policy: Undefined
rights: None

Path: ImageMagick/policy.xml
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
Policy: Coder
rights: Read Write Execute
pattern: URL

Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: SHOW
Policy: Coder
rights: None
pattern: WIN
Policy: Coder
rights: None
pattern: PLT


Using imagemagick still fails and I wonder if adding another policy.xml file is the right approach. If it's working for you can you please describe what you did.

Thanks!
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 »

What was the path to the file you edited?

Did you do the suggested restart?

What was your exact command?

What version of Imagemagick and what platform?
alonfixler
Posts: 8
Joined: 2016-05-28T10:44:03-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by alonfixler »

Hi fmw42,

1. The path to the file I've added can be viewed in my bash output (ImageMagick/policy.xml)
2. I did the suggested restart
3. My exact command is: "convert -resize https://[my file path] 500x300 jpg:-
4. I'm usuing Heroku Cedar-14 stack and my imageMagick version is: 6.7.7-10
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Issue cropping images on heroku with image magick

Post by snibgo »

alonfixler wrote:Using imagemagick still fails ...
How does it fail? Any error message? What goes wrong?
snibgo's IM pages: im.snibgo.com
alonfixler
Posts: 8
Joined: 2016-05-28T10:44:03-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by alonfixler »

The same error that volx757 got: not authorized error due to removal of https prefix in my srcPath image.
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Issue cropping images on heroku with image magick

Post by snibgo »

You have:

Code: Select all

Path: /etc/ImageMagick/policy.xml
:
Policy: Coder
rights: None
pattern: HTTPS
So you have no rights to HTTPS.
snibgo's IM pages: im.snibgo.com
alonfixler
Posts: 8
Joined: 2016-05-28T10:44:03-07:00
Authentication code: 1151

Re: Issue cropping images on heroku with image magick

Post by alonfixler »

Yes, but if you'll notice I've added another policy.xml file in which I have the following:

Policy: Coder
rights: Read Write Execute
pattern: HTTPS

I'm quite sure that Read is enough for me but just for now I added them all.

The thing is that it seems that right now I have 2 policy.xml files: Heroku's default one and the one I've added. Considering the fact that I still get the error message I assume that the default one overrides mine and not the opposite so I don't know if that's the right approach.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 »

convert -resize https://[my file path] 500x300 jpg:-
Bad syntax:

You have the resize arguments separated from -resize by the input file. Furthermore the input file should be read before -resize.

Also 6.7.7.10 is ancient and long before the policy.xml file was affected by the security changes. Have they been modified to add these security restrictions.
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Issue cropping images on heroku with image magick

Post by snibgo »

The purpose of a policy file isn't really to grant rights, but to remove them. Otherwise, users could add their own policy file to give themselves more rights than were generally permitted.
snibgo's IM pages: im.snibgo.com
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 »

Imagemagick does not look at /etc/Imagemagick to find the policy. See http://legacy.imagemagick.org/script/resources.php regarding $PREFIX/etc/Imagemagick-6 or <client path>etc/Imagemagick-6. Not sure if -6 was used for your older 6.7.7.10

On my Mac OSX,

Code: Select all

find /usr | grep "policy.xml"
/usr/local/etc/ImageMagick-6/policy.xml

where $PREFIX is /usr/local as described in the link.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Issue cropping images on heroku with image magick

Post by fmw42 »

alonfixler wrote:The same error that volx757 got: not authorized error due to removal of https prefix in my srcPath image.
Was this an Imagemagick error? Could it be that Heroku is limiting its use?
Post Reply