Legacy ImageMagick Discussions Archive

So with the new vulnerability that was announce today (see here: https://www.imagemagick.org/discourse-s ... =4&t=29588), the solution is to add a set of lines to your policy.xml file. The lines that were mentioned include the following:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />

From my little bit of googling about the image "coders", there is not a lot of information available on these. So, my question to you guys (who are collectively smarter than google!) is: What is the HTTPS coder? Is there a https image file format? Or what specifically does removing the rights from an HTTPS coder do? Or is somehow related to how the file is accessed (through HTTPS, perhaps?)?

If you can shine any light on this, I'd love to hear what you know!

Thanks!

ImageMagick coders are the modules that read and write formats that are identified by letters before a colon at the start of filenames. For example:
Coders that are internal to IM (as opposed to external delegates) have source code in the coders directory. "http:" etc is in coders/url.c.

snibgo wrote:ImageMagick coders are the modules that read and write formats that are identified by letters before a colon at the start of filenames. For example:

Code: Select all

convert PNG:in.png PNG32:out.png
convert http://my.domain.com/in.png out.png

Coders that are internal to IM (as opposed to external delegates) have source code in the coders directory. "http:" etc is in coders/url.c.

Thank you for this information! Glad to hear someone knows how it works.

I'm still a bit confused by the HTTPS item in the list though; if that line is added to the policy file will it cause imagemagick processes that reference images through HTTPS to fail?

Yes. For example (using HTTP): This succeeds. But if I insert ... ... into policy.xml, the command fails with:

snibgo wrote:Yes. For example (using HTTP):

Code: Select all

convert http://snibgo.com/imforums/rgimage1.png r.png

This succeeds. But if I insert ...

Code: Select all

<policy domain="coder" rights="none" pattern="HTTP" />

... into policy.xml, the command fails with:

Code: Select all

convert.exe: not authorized `//snibgo.com/imforums/rgimage1.png' @ error/constitute.c/ReadImage/412.

Thank you for information. That's very helpful.