Commit
•
df62ac8
1
Parent(s):
02b7f61
Create custom-imagemagick-policy.yml
Browse files
custom-imagemagick-policy.yml
ADDED
|
@@ -0,0 +1,89 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
<?xml version="1.0" encoding="UTF-8"?>
|
| 2 |
+
<!DOCTYPE policymap [
|
| 3 |
+
<!ELEMENT policymap (policy)+>
|
| 4 |
+
<!ATTLIST policymap xmlns CDATA #FIXED ''>
|
| 5 |
+
<!ELEMENT policy EMPTY>
|
| 6 |
+
<!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
|
| 7 |
+
name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
|
| 8 |
+
stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
|
| 9 |
+
]>
|
| 10 |
+
<!--
|
| 11 |
+
Configure ImageMagick policies.
|
| 12 |
+
|
| 13 |
+
Domains include system, delegate, coder, filter, path, or resource.
|
| 14 |
+
|
| 15 |
+
Rights include none, read, write, execute and all. Use | to combine them,
|
| 16 |
+
for example: "read | write" to permit read from, or write to, a path.
|
| 17 |
+
|
| 18 |
+
Use a glob expression as a pattern.
|
| 19 |
+
|
| 20 |
+
Suppose we do not want users to process MPEG video images:
|
| 21 |
+
|
| 22 |
+
<policy domain="delegate" rights="none" pattern="mpeg:decode" />
|
| 23 |
+
|
| 24 |
+
Here we do not want users reading images from HTTP:
|
| 25 |
+
|
| 26 |
+
<policy domain="coder" rights="none" pattern="HTTP" />
|
| 27 |
+
|
| 28 |
+
The /repository file system is restricted to read only. We use a glob
|
| 29 |
+
expression to match all paths that start with /repository:
|
| 30 |
+
|
| 31 |
+
<policy domain="path" rights="read" pattern="/repository/*" />
|
| 32 |
+
|
| 33 |
+
Lets prevent users from executing any image filters:
|
| 34 |
+
|
| 35 |
+
<policy domain="filter" rights="none" pattern="*" />
|
| 36 |
+
|
| 37 |
+
Any large image is cached to disk rather than memory:
|
| 38 |
+
|
| 39 |
+
<policy domain="resource" name="area" value="1GP"/>
|
| 40 |
+
|
| 41 |
+
Define arguments for the memory, map, area, width, height and disk resources
|
| 42 |
+
with SI prefixes (.e.g 100MB). In addition, resource policies are maximums
|
| 43 |
+
for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
|
| 44 |
+
exceeds policy maximum so memory limit is 1GB).
|
| 45 |
+
|
| 46 |
+
Rules are processed in order. Here we want to restrict ImageMagick to only
|
| 47 |
+
read or write a small subset of proven web-safe image types:
|
| 48 |
+
|
| 49 |
+
<policy domain="delegate" rights="none" pattern="*" />
|
| 50 |
+
<policy domain="filter" rights="none" pattern="*" />
|
| 51 |
+
<policy domain="coder" rights="none" pattern="*" />
|
| 52 |
+
<policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
|
| 53 |
+
-->
|
| 54 |
+
<policymap>
|
| 55 |
+
<!-- <policy domain="system" name="shred" value="2"/> -->
|
| 56 |
+
<!-- <policy domain="system" name="precision" value="6"/> -->
|
| 57 |
+
<!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
|
| 58 |
+
<!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
|
| 59 |
+
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
|
| 60 |
+
<policy domain="resource" name="memory" value="256MiB"/>
|
| 61 |
+
<policy domain="resource" name="map" value="512MiB"/>
|
| 62 |
+
<policy domain="resource" name="width" value="1500MP"/>
|
| 63 |
+
<policy domain="resource" name="height" value="1500MP"/>
|
| 64 |
+
<!-- <policy domain="resource" name="list-length" value="128"/> -->
|
| 65 |
+
<policy domain="resource" name="area" value="128MB"/>
|
| 66 |
+
<policy domain="resource" name="disk" value="10GiB"/>
|
| 67 |
+
<!-- <policy domain="resource" name="file" value="768"/> -->
|
| 68 |
+
<!-- <policy domain="resource" name="thread" value="4"/> -->
|
| 69 |
+
<!-- <policy domain="resource" name="throttle" value="0"/> -->
|
| 70 |
+
<!-- <policy domain="resource" name="time" value="3600"/> -->
|
| 71 |
+
<!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
|
| 72 |
+
<!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
|
| 73 |
+
<!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
|
| 74 |
+
<!-- <policy domain="path" rights="none" pattern="@*" /> -->
|
| 75 |
+
<!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
|
| 76 |
+
<!-- <policy domain="cache" name="synchronize" value="True"/> -->
|
| 77 |
+
<!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
|
| 78 |
+
<!-- <policy domain="system" name="pixel-cache-memory" value="anonymous"/> -->
|
| 79 |
+
<!-- <policy domain="system" name="shred" value="2"/> -->
|
| 80 |
+
<!-- <policy domain="system" name="precision" value="6"/> -->
|
| 81 |
+
<!-- not needed due to the need to use explicitly by mvg: -->
|
| 82 |
+
<!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->
|
| 83 |
+
<!-- use curl -->
|
| 84 |
+
<policy domain="delegate" rights="none" pattern="URL" />
|
| 85 |
+
<policy domain="delegate" rights="none" pattern="HTTPS" />
|
| 86 |
+
<policy domain="delegate" rights="none" pattern="HTTP" />
|
| 87 |
+
<!-- in order to avoid to get image with password text -->
|
| 88 |
+
<policy domain="path" rights="none" pattern="@*"/>
|
| 89 |
+
</policymap>
|