So with the new vulnerability that was announce today (see here: https://www.imagemagick.org/discourse-s ... =4&t=29588), the solution is to add a set of lines to your policy.xml file. The lines that were mentioned include the following:
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
From my little bit of googling about the image "coders", there is not a lot of information available on these. So, my question to you guys (who are collectively smarter than google!) is: What is the HTTPS coder? Is there a https image file format? Or what specifically does removing the rights from an HTTPS coder do? Or is somehow related to how the file is accessed (through HTTPS, perhaps?)?
If you can shine any light on this, I'd love to hear what you know!
Thanks!
Image Coders Question
-
- Posts: 12159
- Joined: 2010-01-23T23:01:33-07:00
- Authentication code: 1151
- Location: England, UK
Re: Image Coders Question
ImageMagick coders are the modules that read and write formats that are identified by letters before a colon at the start of filenames. For example:
Coders that are internal to IM (as opposed to external delegates) have source code in the coders directory. "http:" etc is in coders/url.c.
Code: Select all
convert PNG:in.png PNG32:out.png
convert http://my.domain.com/in.png out.png
snibgo's IM pages: im.snibgo.com
Re: Image Coders Question
Thank you for this information! Glad to hear someone knows how it works.snibgo wrote:ImageMagick coders are the modules that read and write formats that are identified by letters before a colon at the start of filenames. For example:
Coders that are internal to IM (as opposed to external delegates) have source code in the coders directory. "http:" etc is in coders/url.c.Code: Select all
convert PNG:in.png PNG32:out.png convert http://my.domain.com/in.png out.png
I'm still a bit confused by the HTTPS item in the list though; if that line is added to the policy file will it cause imagemagick processes that reference images through HTTPS to fail?
-
- Posts: 12159
- Joined: 2010-01-23T23:01:33-07:00
- Authentication code: 1151
- Location: England, UK
Re: Image Coders Question
Yes. For example (using HTTP):
This succeeds. But if I insert ...
... into policy.xml, the command fails with:
Code: Select all
convert http://snibgo.com/imforums/rgimage1.png r.png
Code: Select all
<policy domain="coder" rights="none" pattern="HTTP" />
Code: Select all
convert.exe: not authorized `//snibgo.com/imforums/rgimage1.png' @ error/constitute.c/ReadImage/412.
snibgo's IM pages: im.snibgo.com
Re: Image Coders Question
Thank you for information. That's very helpful.snibgo wrote:Yes. For example (using HTTP):This succeeds. But if I insert ...Code: Select all
convert http://snibgo.com/imforums/rgimage1.png r.png
... into policy.xml, the command fails with:Code: Select all
<policy domain="coder" rights="none" pattern="HTTP" />
Code: Select all
convert.exe: not authorized `//snibgo.com/imforums/rgimage1.png' @ error/constitute.c/ReadImage/412.