Legacy ImageMagick Discussions Archive

Use https://github.com/ImageMagick/ImageMagick/discussions instead.
https://imagemagick.com/discourse-server/

Image Coders Question

https://imagemagick.com/discourse-server/viewtopic.php?t=29592

Page 1 of 1

Image Coders Question

Posted: 2016-05-03T11:52:38-07:00
by caliguian
So with the new vulnerability that was announce today (see here: https://www.imagemagick.org/discourse-s ... =4&t=29588), the solution is to add a set of lines to your policy.xml file. The lines that were mentioned include the following:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />

From my little bit of googling about the image "coders", there is not a lot of information available on these. So, my question to you guys (who are collectively smarter than google!) is: What is the HTTPS coder? Is there a https image file format? Or what specifically does removing the rights from an HTTPS coder do? Or is somehow related to how the file is accessed (through HTTPS, perhaps?)?

If you can shine any light on this, I'd love to hear what you know!

Thanks!

Re: Image Coders Question

Posted: 2016-05-03T12:11:06-07:00
by snibgo
ImageMagick coders are the modules that read and write formats that are identified by letters before a colon at the start of filenames. For example:

Code: Select all

convert PNG:in.png PNG32:out.png
convert http://my.domain.com/in.png out.png
Coders that are internal to IM (as opposed to external delegates) have source code in the coders directory. "http:" etc is in coders/url.c.

Re: Image Coders Question

Posted: 2016-05-03T12:43:06-07:00
by caliguian
snibgo wrote:ImageMagick coders are the modules that read and write formats that are identified by letters before a colon at the start of filenames. For example:

Code: Select all

convert PNG:in.png PNG32:out.png
convert http://my.domain.com/in.png out.png
Coders that are internal to IM (as opposed to external delegates) have source code in the coders directory. "http:" etc is in coders/url.c.
Thank you for this information! Glad to hear someone knows how it works. :)

I'm still a bit confused by the HTTPS item in the list though; if that line is added to the policy file will it cause imagemagick processes that reference images through HTTPS to fail?

Re: Image Coders Question

Posted: 2016-05-03T13:13:39-07:00
by snibgo
Yes. For example (using HTTP):

Code: Select all

convert http://snibgo.com/imforums/rgimage1.png r.png
This succeeds. But if I insert ...

Code: Select all

<policy domain="coder" rights="none" pattern="HTTP" />
... into policy.xml, the command fails with:

Code: Select all

convert.exe: not authorized `//snibgo.com/imforums/rgimage1.png' @ error/constitute.c/ReadImage/412.

Re: Image Coders Question

Posted: 2016-05-03T14:07:07-07:00
by caliguian
snibgo wrote:Yes. For example (using HTTP):

Code: Select all

convert http://snibgo.com/imforums/rgimage1.png r.png
This succeeds. But if I insert ...

Code: Select all

<policy domain="coder" rights="none" pattern="HTTP" />
... into policy.xml, the command fails with:

Code: Select all

convert.exe: not authorized `//snibgo.com/imforums/rgimage1.png' @ error/constitute.c/ReadImage/412.
Thank you for information. That's very helpful.
All times are UTC-07:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited