Looks like you have a syntax error in your policy file fmw42 (I'm guessing) since it isn't listing any actual policy statements. On CentOS 6 (i think) machines where I've applied the mitigation I get:
# convert -list policy
Path: [built-in]
Policy: Undefined
rights: None
Path: /usr/lib64/ImageMagick-6.7.8/config/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: URL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
ImageMagick Security Issue
-
fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: ImageMagick Security Issue
I usually do:
and get
...
<policymap>
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<!-- <policy domain="resource" name="memory" value="2GiB"/> -->
<!-- <policy domain="resource" name="map" value="4GiB"/> -->
<!-- <policy domain="resource" name="width" value="10MP"/> -->
<!-- <policy domain="resource" name="height" value="10MP"/> -->
<!-- <policy domain="resource" name="area" value="1GB"/> -->
<!-- <policy domain="resource" name="disk" value="16EB"/> -->
<!-- <policy domain="resource" name="file" value="768"/> -->
<!-- <policy domain="resource" name="thread" value="4"/> -->
<!-- <policy domain="resource" name="throttle" value="0"/> -->
<!-- <policy domain="resource" name="time" value="3600"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<policy domain="cache" name="shared-secret" value="passphrase"/>
</policymap>
or
Resource limits:
Width: 214.7MP
Height: 214.7MP
Area: 4.295GP
Memory: 2GiB
Map: 4GiB
Disk: unlimited
File: 192
Thread: 2
Throttle: 0
Time: unlimited
Code: Select all
cat /usr/local/etc/ImageMagick-6/policy.xml...
<policymap>
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
<!-- <policy domain="resource" name="memory" value="2GiB"/> -->
<!-- <policy domain="resource" name="map" value="4GiB"/> -->
<!-- <policy domain="resource" name="width" value="10MP"/> -->
<!-- <policy domain="resource" name="height" value="10MP"/> -->
<!-- <policy domain="resource" name="area" value="1GB"/> -->
<!-- <policy domain="resource" name="disk" value="16EB"/> -->
<!-- <policy domain="resource" name="file" value="768"/> -->
<!-- <policy domain="resource" name="thread" value="4"/> -->
<!-- <policy domain="resource" name="throttle" value="0"/> -->
<!-- <policy domain="resource" name="time" value="3600"/> -->
<!-- <policy domain="system" name="precision" value="6"/> -->
<policy domain="cache" name="shared-secret" value="passphrase"/>
</policymap>
or
Code: Select all
convert -list resourceWidth: 214.7MP
Height: 214.7MP
Area: 4.295GP
Memory: 2GiB
Map: 4GiB
Disk: unlimited
File: 192
Thread: 2
Throttle: 0
Time: unlimited
Re: ImageMagick Security Issue
@fmw42 , are you not going to apply the line:
<policy domain="path" rights="none" pattern="@*" />
to your policy.xml file? I was under impression that line was also needed even on the newest version of ImageMagick?
(Also, thanks for all the helpfull replies I got on page 2 in the thread.)
<policy domain="path" rights="none" pattern="@*" />
to your policy.xml file? I was under impression that line was also needed even on the newest version of ImageMagick?
(Also, thanks for all the helpfull replies I got on page 2 in the thread.)
-
fmw42
- Posts: 25562
- Joined: 2007-07-02T17:14:51-07:00
- Authentication code: 1152
- Location: Sunnyvale, California, USA
Re: ImageMagick Security Issue
I may. But I am not on a server, just my home computer. So I trust myself and need @filename for my usage. A few of my scripts may not work on servers who install such policy. But that is the user's decision to use those few of my scripts or not on those servers.