Issue cropping images on heroku with image magick

[alonfixler]

Hi,

ImageMagick was working perfectly for me on Heroku up until last month when the following security vulnerability was discovered:
https://imagetragick.com/

In response to it Heroku published the following post:
https://devcenter.heroku.com/changelog-items/891

My Guess is that they added the restrictions I mentioned before in their policy.xml file.
I'm just wondering if there's any other way from what I did to override their HTTPS policy as in my app the discovered vulnerability is irrelevant.

[fmw42]

If they added the new policy.xml features, then you can edit them to remove the relevant ones you need to make your commands work.

See http://www.imagemagick.org/source/policy.xml

[alonfixler]

Yes, that's exactly what I tried to do: I added a new policy.xml file that suppose to override Heroku's policy.xml but for some reason it's not really doing it.

[fmw42]

Post your policy.xml file so we can see what you have. Check it with

Code: Select all

convert -list policy

Be sure you are putting it in the correct place. See http://legacy.imagemagick.org/script/resources.php

[alonfixler]

Hi volx757,

Did it work for you? I'm having the same problem and I tried to do what's suggested here https://gist.github.com/yanowitz/8329d8 ... 04326fd629 but instead of adding the policy configurations mentioned there I added what was suggested here: <policy domain="coder" rights="read | write" pattern="HTTPS" />

running convert -list policy from bash gave the following:

Path: [built-in]
Policy: Undefined
rights: None

Path: ImageMagick/policy.xml
Policy: Coder
rights: Read Write Execute
pattern: HTTPS
Policy: Coder
rights: Read Write Execute
pattern: URL

Path: /etc/ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Policy: Coder
rights: None
pattern: TEXT
Policy: Coder
rights: None
pattern: SHOW
Policy: Coder
rights: None
pattern: WIN
Policy: Coder
rights: None
pattern: PLT


Using imagemagick still fails and I wonder if adding another policy.xml file is the right approach. If it's working for you can you please describe what you did.

Thanks!

[fmw42]

What is your IM version? If too old, it does not recognize any policy.xml file.

[alonfixler]

Hi fmw42,

1. The path to the file I've added can be viewed in my bash output (ImageMagick/policy.xml)
2. I did the suggested restart
3. My exact command is: "convert -resize https://[my file path] 500x300 jpg:-
4. I'm usuing Heroku Cedar-14 stack and my imageMagick version is: 6.7.7-10

Because it stopped working for me after Heroku added a policy.xml disabling HTTPS, I'm assuming the used IM version supports policy.xml files.

[fmw42]

I do not think 6.7.7.10 works with policy.xml. It does not list the policy when i do

Code: Select all

im67710 convert -policy

So perhaps they changed it in some other way.

[iamakimmer]

Has anyone resolved this yet? I'm also having the same issue within the last month

[snibgo]

You'll have to say what the issue is, and what version you are using.

[fmw42]

convert -resize https://[my file path] 500x300 jpg:-

That is malformed command. You need to read the input image before -resize. And you have the resize argument separate form -resize by the input.

try

Code: Select all

convert https://[my file path] -resize 500x300 jpg:-

[iamakimmer]

I can't seem to convert images in heroku anymore using https:// urls. Here's my version, policy, and the convert method. Do you have any suggestions?

Code: Select all

~ $ convert -version
Version: ImageMagick 6.7.7-10 2014-03-06 Q16 http://www.imagemagick.org
Copyright: Copyright (C) 1999-2012 ImageMagick Studio LLC
Features: OpenMP    

Code: Select all

~ $  convert -list policy

Path: [built-in]
  Policy: Undefined
    rights: None 

Path: /app/vendor/imagemagick/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: Read Write 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL

Path: /etc/ImageMagick/policy.xml
  Policy: Coder
    rights: None 
    pattern: EPHEMERAL
  Policy: Coder
    rights: None 
    pattern: URL
  Policy: Coder
    rights: None 
    pattern: HTTPS
  Policy: Coder
    rights: None 
    pattern: MVG
  Policy: Coder
    rights: None 
    pattern: MSL
  Policy: Coder
    rights: None 
    pattern: TEXT
  Policy: Coder
    rights: None 
    pattern: SHOW
  Policy: Coder
    rights: None 
    pattern: WIN
  Policy: Coder
    rights: None 
    pattern: PLT

Code: Select all

~ $ convert https://play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png -resize 300x300 jpg:-
convert.im6: not authorized `//play.google.com/intl/en_us/badges/images/generic/en_badge_web_generic.png' @ error/constitute.c/ReadImage/454.
convert.im6: no images defined `jpg:-' @ error/convert.c/ConvertImageCommand/3044.
~ $ 

[fmw42]

You have multiple policies. The one at /etc/ImageMagick/policy.xml, which has no HTTP privileges, probably takes precedent over the other one. The one at /app/vendor/imagemagick/policy.xml may not be a valid location. Or perhaps you have two versions of IM. See http://legacy.imagemagick.org/script/resources.php for valid policy locations.