Question for new "module" security policy

Questions and postings pertaining to the usage of ImageMagick regardless of the interface. This includes the command-line utilities, as well as the C and C++ APIs. Usage questions are like "How do I use ImageMagick to create drop shadows?".
Post Reply
PikachuEXE
Posts: 6
Joined: 2018-09-02T19:11:02-07:00
Authentication code: 1152

Question for new "module" security policy

Post by PikachuEXE » 2018-09-02T19:16:16-07:00

Saw this in change log for 7.0.8-11:
Add support for "module" security policy.

Also see a new line for policy.xml: https://github.com/ImageMagick/ImageMag ... cy.xml#L72

Code: Select all

<!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
My question is: What can we put in pattern?
I already got errors when processing jpeg files with my existing policy.xml file

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policymap [
<!ELEMENT policymap (policy)+>
<!ELEMENT policy (#PCDATA)>
<!ATTLIST policy domain (cache|delegate|coder|path|resource|system) #IMPLIED>
<!ATTLIST policy name CDATA #IMPLIED>
<!ATTLIST policy rights CDATA #IMPLIED>
<!ATTLIST policy stealth CDATA #IMPLIED>
<!ATTLIST policy cache CDATA #IMPLIED>
<!ATTLIST policy coder CDATA #IMPLIED>
<!ATTLIST policy delegate CDATA #IMPLIED>
<!ATTLIST policy pattern CDATA #IMPLIED>
<!ATTLIST policy path CDATA #IMPLIED>
<!ATTLIST policy system CDATA #IMPLIED>
<!ATTLIST policy value CDATA #IMPLIED>
]>
<policymap>
  <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>

  <policy domain="delegate" rights="none" pattern="*" />
  <policy domain="coder" rights="none" pattern="*" />
  <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
</policymap>

User avatar
fmw42
Posts: 24001
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Question for new "module" security policy

Post by fmw42 » 2018-09-02T20:13:21-07:00

You can enter either read or write or read|write (for both). Or keep it none.

Your policy.xml allow you to read and write GIF,JPEG,PNG,WEBP. So already have permission for reading and writing JPEG. I am not sure about the new module policy. I suspect it relates to a potential security deficiency in the Ghostscript delegate for reading and writing PS,PDF, XPS.

PikachuEXE
Posts: 6
Joined: 2018-09-02T19:11:02-07:00
Authentication code: 1152

Re: Question for new "module" security policy

Post by PikachuEXE » 2018-09-02T22:23:06-07:00

I got this error message:

Code: Select all

convert /tmp/mini_magick20180903-26-1b8y8zt.jpg[0] /tmp/mini_magick20180903-26-4kvhda.jpg` failed with error: convert: not authorized `JPG' @ error/constitute.c/IsCoderAuthorized/408
which is thrown at https://github.com/ImageMagick/ImageMag ... ute.c#L408

User avatar
fmw42
Posts: 24001
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Question for new "module" security policy

Post by fmw42 » 2018-09-02T22:46:40-07:00

try editing to add JPG in addition to JPEG

<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />

If that does not help, then perhaps post this to the Bugs forum.

But before that post your JPG file to see if there is anything wrong with it.

You could also comment out that policy line and it should go back to default which I believe is wide open in that regard.

PikachuEXE
Posts: 6
Joined: 2018-09-02T19:11:02-07:00
Authentication code: 1152

Re: Question for new "module" security policy

Post by PikachuEXE » 2018-09-04T01:07:09-07:00

Changing to

Code: Select all

<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />
does help thanks

But does why the name change now?
What are the available values?

User avatar
fmw42
Posts: 24001
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Question for new "module" security policy

Post by fmw42 » 2018-09-04T09:05:48-07:00

But does why the name change now?
What name change? Please clarify.

PikachuEXE
Posts: 6
Joined: 2018-09-02T19:11:02-07:00
Authentication code: 1152

Re: Question for new "module" security policy

Post by PikachuEXE » 2018-09-04T18:32:51-07:00

fmw42 wrote:
2018-09-04T09:05:48-07:00
But does why the name change now?
What name change? Please clarify.
I mean the `JPEG` => `JPG` in "coder"

User avatar
fmw42
Posts: 24001
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Question for new "module" security policy

Post by fmw42 » 2018-09-04T19:14:11-07:00

I am not sure I understand. What is happening when you convert to a jpg image and what suffix are you using?

PikachuEXE
Posts: 6
Joined: 2018-09-02T19:11:02-07:00
Authentication code: 1152

Re: Question for new "module" security policy

Post by PikachuEXE » 2018-09-04T20:31:44-07:00

My files are using both .jpg and .jpeg as file name suffix
But the old policy (without `JPG` in coder policy) works before 7.0.8-11
On 7.0.8-11 it raises error as mentioned at viewtopic.php?f=1&t=34667#p159121

User avatar
fmw42
Posts: 24001
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Question for new "module" security policy

Post by fmw42 » 2018-09-04T20:46:41-07:00

The IM developers will need to comment. Perhaps they tightened the security policy in that regard.

PikachuEXE
Posts: 6
Joined: 2018-09-02T19:11:02-07:00
Authentication code: 1152

Re: Question for new "module" security policy

Post by PikachuEXE » 2018-09-04T23:52:20-07:00

The error only occurs when I use `convert` which convert an image file to a `.jpg` like

Code: Select all

convert image.png image.jpg
But if I use jpeg as suffix, there is no error:

Code: Select all

convert image.png image.jpeg
But I am not sure if this behaviour is intended or a bug

User avatar
fmw42
Posts: 24001
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Question for new "module" security policy

Post by fmw42 » 2018-09-05T09:26:07-07:00

convert is IM 6 syntax. You are on IM 7. To use convert, which would fall back to IM 6 processing on IM 7. On a Unix system, you could make a symbolic alias between convert and magick. Then when you use convert you would actually run magick on IM 7. On Windows, you need to check the legacy option when installing to allow you to use convert.

If you changed your policy.xml file as above, then I am not sure why convert would not work on jpg or jpeg suffixes.

At this point, I will have to defer to the IM developers to comment further.

User avatar
dlemstra
Posts: 1506
Joined: 2013-05-04T15:28:54-07:00
Authentication code: 6789
Contact:

Re: Question for new "module" security policy

Post by dlemstra » 2018-09-15T07:30:06-07:00

What happens when you try the following configuration:

Code: Select all

 <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
.NET + ImageMagick = Magick.NET https://github.com/dlemstra/Magick.NET, @MagickNET, Donate

Post Reply