Page 1 of 1

Question for new "module" security policy

Posted: 2018-09-02T19:16:16-07:00
by PikachuEXE
Saw this in change log for 7.0.8-11:
Add support for "module" security policy.

Also see a new line for policy.xml: https://github.com/ImageMagick/ImageMag ... cy.xml#L72

Code: Select all

<!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
My question is: What can we put in pattern?
I already got errors when processing jpeg files with my existing policy.xml file

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policymap [
<!ELEMENT policymap (policy)+>
<!ELEMENT policy (#PCDATA)>
<!ATTLIST policy domain (cache|delegate|coder|path|resource|system) #IMPLIED>
<!ATTLIST policy name CDATA #IMPLIED>
<!ATTLIST policy rights CDATA #IMPLIED>
<!ATTLIST policy stealth CDATA #IMPLIED>
<!ATTLIST policy cache CDATA #IMPLIED>
<!ATTLIST policy coder CDATA #IMPLIED>
<!ATTLIST policy delegate CDATA #IMPLIED>
<!ATTLIST policy pattern CDATA #IMPLIED>
<!ATTLIST policy path CDATA #IMPLIED>
<!ATTLIST policy system CDATA #IMPLIED>
<!ATTLIST policy value CDATA #IMPLIED>
]>
<policymap>
  <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>

  <policy domain="delegate" rights="none" pattern="*" />
  <policy domain="coder" rights="none" pattern="*" />
  <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
</policymap>

Re: Question for new "module" security policy

Posted: 2018-09-02T20:13:21-07:00
by fmw42
You can enter either read or write or read|write (for both). Or keep it none.

Your policy.xml allow you to read and write GIF,JPEG,PNG,WEBP. So already have permission for reading and writing JPEG. I am not sure about the new module policy. I suspect it relates to a potential security deficiency in the Ghostscript delegate for reading and writing PS,PDF, XPS.

Re: Question for new "module" security policy

Posted: 2018-09-02T22:23:06-07:00
by PikachuEXE
I got this error message:

Code: Select all

convert /tmp/mini_magick20180903-26-1b8y8zt.jpg[0] /tmp/mini_magick20180903-26-4kvhda.jpg` failed with error: convert: not authorized `JPG' @ error/constitute.c/IsCoderAuthorized/408
which is thrown at https://github.com/ImageMagick/ImageMag ... ute.c#L408

Re: Question for new "module" security policy

Posted: 2018-09-02T22:46:40-07:00
by fmw42
try editing to add JPG in addition to JPEG

<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />

If that does not help, then perhaps post this to the Bugs forum.

But before that post your JPG file to see if there is anything wrong with it.

You could also comment out that policy line and it should go back to default which I believe is wide open in that regard.

Re: Question for new "module" security policy

Posted: 2018-09-04T01:07:09-07:00
by PikachuEXE
Changing to

Code: Select all

<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG,WEBP}" />
does help thanks

But does why the name change now?
What are the available values?

Re: Question for new "module" security policy

Posted: 2018-09-04T09:05:48-07:00
by fmw42
But does why the name change now?
What name change? Please clarify.

Re: Question for new "module" security policy

Posted: 2018-09-04T18:32:51-07:00
by PikachuEXE
fmw42 wrote: 2018-09-04T09:05:48-07:00
But does why the name change now?
What name change? Please clarify.
I mean the `JPEG` => `JPG` in "coder"

Re: Question for new "module" security policy

Posted: 2018-09-04T19:14:11-07:00
by fmw42
I am not sure I understand. What is happening when you convert to a jpg image and what suffix are you using?

Re: Question for new "module" security policy

Posted: 2018-09-04T20:31:44-07:00
by PikachuEXE
My files are using both .jpg and .jpeg as file name suffix
But the old policy (without `JPG` in coder policy) works before 7.0.8-11
On 7.0.8-11 it raises error as mentioned at viewtopic.php?f=1&t=34667#p159121

Re: Question for new "module" security policy

Posted: 2018-09-04T20:46:41-07:00
by fmw42
The IM developers will need to comment. Perhaps they tightened the security policy in that regard.

Re: Question for new "module" security policy

Posted: 2018-09-04T23:52:20-07:00
by PikachuEXE
The error only occurs when I use `convert` which convert an image file to a `.jpg` like

Code: Select all

convert image.png image.jpg
But if I use jpeg as suffix, there is no error:

Code: Select all

convert image.png image.jpeg
But I am not sure if this behaviour is intended or a bug

Re: Question for new "module" security policy

Posted: 2018-09-05T09:26:07-07:00
by fmw42
convert is IM 6 syntax. You are on IM 7. To use convert, which would fall back to IM 6 processing on IM 7. On a Unix system, you could make a symbolic alias between convert and magick. Then when you use convert you would actually run magick on IM 7. On Windows, you need to check the legacy option when installing to allow you to use convert.

If you changed your policy.xml file as above, then I am not sure why convert would not work on jpg or jpeg suffixes.

At this point, I will have to defer to the IM developers to comment further.

Re: Question for new "module" security policy

Posted: 2018-09-15T07:30:06-07:00
by dlemstra
What happens when you try the following configuration:

Code: Select all

 <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />