Issue cropping images on heroku with image magick
Issue cropping images on heroku with image magick
Hi,
I get the following error in production on Heroku in my Rails app when trying to crop/upload photos to Amazon S3 using ImageMagick:
Magick::ImageMagickError: not authorized `//s3.amazonaws.com/[LONG URL PATH HERE]' @ error/constitute.c/ReadImage/454
I've been trying various proposed fixes related to the security vulnerability that was just discovered a couple days ago. I tried the suggestions at this link (and variations of it):
https://gist.github.com/yanowitz/8329d8 ... 04326fd629
But nothing seems to allow our site to crop/upload images anymore. I've been searching all over for information on this, but it seems like it's not very well documented, perhaps because it's new.
Do you have any ideas how I could fix this?
Thanks
I get the following error in production on Heroku in my Rails app when trying to crop/upload photos to Amazon S3 using ImageMagick:
Magick::ImageMagickError: not authorized `//s3.amazonaws.com/[LONG URL PATH HERE]' @ error/constitute.c/ReadImage/454
I've been trying various proposed fixes related to the security vulnerability that was just discovered a couple days ago. I tried the suggestions at this link (and variations of it):
https://gist.github.com/yanowitz/8329d8 ... 04326fd629
But nothing seems to allow our site to crop/upload images anymore. I've been searching all over for information on this, but it seems like it's not very well documented, perhaps because it's new.
Do you have any ideas how I could fix this?
Thanks
-
- Posts: 12159
- Joined: 2010-01-23T23:01:33-07:00
- Authentication code: 1151
- Location: England, UK
Re: Issue cropping images on heroku with image magick
What ImageMagick command was issued? It looks as if it was trying to read or write over http or https and, whichever it was, has been denied authority by the security policy.
So you have the choice of either changing the policy to authorise that access, or reorganising the work so IM operates only locally. So you would download using wget or similar, then do the IM work, then upload with wput or similar.
So you have the choice of either changing the policy to authorise that access, or reorganising the work so IM operates only locally. So you would download using wget or similar, then do the IM work, then upload with wput or similar.
snibgo's IM pages: im.snibgo.com
Re: Issue cropping images on heroku with image magick
The command was a read:
Magick::Image::read(photo_url)
So if I change my policy.xml file to include this line:
<policy domain="coder" rights="read | write" pattern="HTTPS" />
should that fix the 'not authorized' error?
thanks.
Magick::Image::read(photo_url)
So if I change my policy.xml file to include this line:
<policy domain="coder" rights="read | write" pattern="HTTPS" />
should that fix the 'not authorized' error?
thanks.
-
- Posts: 12159
- Joined: 2010-01-23T23:01:33-07:00
- Authentication code: 1151
- Location: England, UK
Re: Issue cropping images on heroku with image magick
I expect it will. Try it and see!
You should be aware of any security implications.
You should be aware of any security implications.
snibgo's IM pages: im.snibgo.com
-
- Posts: 8
- Joined: 2016-05-28T10:44:03-07:00
- Authentication code: 1151
Re: Issue cropping images on heroku with image magick
Hi volx757,
Did it work for you? I'm having the same problem and I tried to do what's suggested here https://gist.github.com/yanowitz/8329d8 ... 04326fd629 but instead of adding the policy configurations mentioned there I added what was suggested here: <policy domain="coder" rights="read | write" pattern="HTTPS" />
running convert -list policy from bash gave the following:
Path: [built-in]
Policy: Undefined
rights: None
Path: ImageMagick/policy.xml
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
Policy: Coder
rights: Read Write Execute
pattern: URL
Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: SHOW
Policy: Coder
rights: None
pattern: WIN
Policy: Coder
rights: None
pattern: PLT
Using imagemagick still fails and I wonder if adding another policy.xml file is the right approach. If it's working for you can you please describe what you did.
Thanks!
Did it work for you? I'm having the same problem and I tried to do what's suggested here https://gist.github.com/yanowitz/8329d8 ... 04326fd629 but instead of adding the policy configurations mentioned there I added what was suggested here: <policy domain="coder" rights="read | write" pattern="HTTPS" />
running convert -list policy from bash gave the following:
Path: [built-in]
Policy: Undefined
rights: None
Path: ImageMagick/policy.xml
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
Policy: Coder
rights: Read Write Execute
pattern: URL
Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: SHOW
Policy: Coder
rights: None
pattern: WIN
Policy: Coder
rights: None
pattern: PLT
Using imagemagick still fails and I wonder if adding another policy.xml file is the right approach. If it's working for you can you please describe what you did.
Thanks!
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Issue cropping images on heroku with image magick
What was the path to the file you edited?
Did you do the suggested restart?
What was your exact command?
What version of Imagemagick and what platform?
Did you do the suggested restart?
What was your exact command?
What version of Imagemagick and what platform?
-
- Posts: 8
- Joined: 2016-05-28T10:44:03-07:00
- Authentication code: 1151
Re: Issue cropping images on heroku with image magick
Hi fmw42,
1. The path to the file I've added can be viewed in my bash output (ImageMagick/policy.xml)
2. I did the suggested restart
3. My exact command is: "convert -resize https://[my file path] 500x300 jpg:-
4. I'm usuing Heroku Cedar-14 stack and my imageMagick version is: 6.7.7-10
1. The path to the file I've added can be viewed in my bash output (ImageMagick/policy.xml)
2. I did the suggested restart
3. My exact command is: "convert -resize https://[my file path] 500x300 jpg:-
4. I'm usuing Heroku Cedar-14 stack and my imageMagick version is: 6.7.7-10
-
- Posts: 12159
- Joined: 2010-01-23T23:01:33-07:00
- Authentication code: 1151
- Location: England, UK
Re: Issue cropping images on heroku with image magick
How does it fail? Any error message? What goes wrong?alonfixler wrote:Using imagemagick still fails ...
snibgo's IM pages: im.snibgo.com
-
- Posts: 8
- Joined: 2016-05-28T10:44:03-07:00
- Authentication code: 1151
Re: Issue cropping images on heroku with image magick
The same error that volx757 got: not authorized error due to removal of https prefix in my srcPath image.
-
- Posts: 12159
- Joined: 2010-01-23T23:01:33-07:00
- Authentication code: 1151
- Location: England, UK
Re: Issue cropping images on heroku with image magick
You have:
So you have no rights to HTTPS.
Code: Select all
Path: /etc/ImageMagick/policy.xml
:
Policy: Coder
rights: None
pattern: HTTPS
snibgo's IM pages: im.snibgo.com
-
- Posts: 8
- Joined: 2016-05-28T10:44:03-07:00
- Authentication code: 1151
Re: Issue cropping images on heroku with image magick
Yes, but if you'll notice I've added another policy.xml file in which I have the following:
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
I'm quite sure that Read is enough for me but just for now I added them all.
The thing is that it seems that right now I have 2 policy.xml files: Heroku's default one and the one I've added. Considering the fact that I still get the error message I assume that the default one overrides mine and not the opposite so I don't know if that's the right approach.
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
I'm quite sure that Read is enough for me but just for now I added them all.
The thing is that it seems that right now I have 2 policy.xml files: Heroku's default one and the one I've added. Considering the fact that I still get the error message I assume that the default one overrides mine and not the opposite so I don't know if that's the right approach.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Issue cropping images on heroku with image magick
Bad syntax:convert -resize https://[my file path] 500x300 jpg:-
You have the resize arguments separated from -resize by the input file. Furthermore the input file should be read before -resize.
Also 6.7.7.10 is ancient and long before the policy.xml file was affected by the security changes. Have they been modified to add these security restrictions.
-
- Posts: 12159
- Joined: 2010-01-23T23:01:33-07:00
- Authentication code: 1151
- Location: England, UK
Re: Issue cropping images on heroku with image magick
The purpose of a policy file isn't really to grant rights, but to remove them. Otherwise, users could add their own policy file to give themselves more rights than were generally permitted.
snibgo's IM pages: im.snibgo.com
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Issue cropping images on heroku with image magick
Imagemagick does not look at /etc/Imagemagick to find the policy. See http://legacy.imagemagick.org/script/resources.php regarding $PREFIX/etc/Imagemagick-6 or <client path>etc/Imagemagick-6. Not sure if -6 was used for your older 6.7.7.10
On my Mac OSX,
/usr/local/etc/ImageMagick-6/policy.xml
where $PREFIX is /usr/local as described in the link.
On my Mac OSX,
Code: Select all
find /usr | grep "policy.xml"
where $PREFIX is /usr/local as described in the link.
- fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: Issue cropping images on heroku with image magick
Was this an Imagemagick error? Could it be that Heroku is limiting its use?alonfixler wrote:The same error that volx757 got: not authorized error due to removal of https prefix in my srcPath image.