Page 1 of 1

Policy.xml - Selectively re-enabling delegates

Posted: 2017-05-31T05:30:00-07:00
by carpii
I'm following the advice from https://www.imagemagick.org/discourse-s ... hp?t=26801 on how to lock down ImageMagick via policy.xml (still want to support read/write JPG and read PNG)

Code: Select all

  <policy domain="delegate" rights="none" pattern="*" />
  <policy domain="coder" rights="none" pattern="*" />
  <policy domain="coder" rights="read | write" pattern="{JPEG,PNG}" />
My command is: (resizes an input JPG image, adds some text, overlays a transparent PNG, then writes it out as a JPG)

Code: Select all

/usr/local/bin/convert -size 500x50 xc:transparent -font /www/site/html/fnt/metabold.ttf -pointsize 13 -fill black -gravity center -draw "text 2,1 'site.com/username |' text 1,2 'site.com/username |'" -fill white -gravity center -draw "text 1,1 'site.com/username |'" -trim +repage png:- | /usr/local/bin/convert - -crop -5+0 +repage png:- | /usr/local/bin/composite -gravity southwest -geometry +26+6 -dissolve 35% - jpg:/www/site/html/imagemagick/in.jpg jpg:- | /usr/local/bin/composite -gravity southwest -geometry +5+5 -dissolve 40% /www/site/html/img/watermark.png - jpg:/www/site/html/imagemagick/out.jpg
This command works fine when I disable the first two policies above, but when they are present, I get the error....

Code: Select all

convert: not authorized `transparent' @ error/constitute.c/ReadImage/425.
convert: no images defined `png:-' @ error/convert.c/ConvertImageCommand/3254.
convert: no decode delegate for this image format `' @ error/constitute.c/ReadImage/509.
convert: no images defined `png:-' @ error/convert.c/ConvertImageCommand/3254.
composite: no decode delegate for this image format `' @ error/constitute.c/ReadImage/509.
composite:  `jpg:-' @ error/composite.c/CompositeImageCommand/1613.
composite: no decode delegate for this image format `' @ error/constitute.c/ReadImage/509.
composite:  `jpg:/www/site/html/imagemagick/out.jpg' @ error/composite.c/CompositeImageCommand/1613.
Is the 'not authorized transparent' error just a symptom of not having PNG support?
I'm guessing I need to selectively re-enable the JPG and PNG delegates? But I'm struggling to find any documentation on how to do this

Also by re-enabling the PNG coder, does his automatically enable support for PNG8, PNG16, PNG32 etc?

Thanks

Re: Policy.xml - Selectively re-enabling delegates

Posted: 2017-05-31T07:26:49-07:00
by magick
Use this policy:

Code: Select all

<policy domain="coder" rights="read | write" pattern="{JPEG,PNG,XC}" />

Re: Policy.xml - Selectively re-enabling delegates

Posted: 2017-05-31T07:30:43-07:00
by carpii
Perfect, thanks SO much :)