www/security-policy.html - platform/external/ImageMagick - Git at Google



 <!DOCTYPE html>
 <html lang="en">
 <head>
     <title>ImageMagick: Security Policy</title>
   <meta charset="utf-8" />
   <meta http-equiv="X-UA-Compatible" content="IE=edge" />
   <meta name="viewport" content="width=device-width, initial-scale=1" />
   <meta http-equiv="content-type" content="text/html; charset=utf-8"/>
   <meta name="application-name" content="ImageMagick"/>
   <meta name="description" content="ImageMagick® is a software suite to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, JPEG-2000, GIF, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves."/>
   <meta name="application-url" content="http://www.imagemagick.org"/>
   <meta name="generator" content="PHP"/>
   <meta name="keywords" content="security, policy, ImageMagick, PerlMagick, image processing, image, photo, software, Magick++, OpenMP, convert"/>
   <meta name="rating" content="GENERAL"/>
   <meta name="robots" content="INDEX, FOLLOW"/>
   <meta name="generator" content="ImageMagick Studio LLC"/>
   <meta name="author" content="ImageMagick Studio LLC"/>
   <meta name="revisit-after" content="2 DAYS"/>
   <meta name="resource-type" content="document"/>
   <meta name="copyright" content="Copyright (c) 1999-2016 ImageMagick Studio LLC"/>
   <meta name="distribution" content="Global"/>
   <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1"/>
   <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
   <link rel="icon" href="../images/wand.png"/>
   <link rel="shortcut icon" href="../images/wand.ico"/>
   <link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Roboto:900,400,400italic,700,700italic,300,300italic|Open+Sans:300italic,400italic,700italic,300,400,600,700">
   <link rel="stylesheet" href="css/magick.css"/>
 </head>
 <body>
 <div class="main">
 <div class="magick-masthead">
   <div class="container">
     <script async="async" src="http://localhost/pagead/js/adsbygoogle.js"></script>    <ins class="adsbygoogle"
          style="display:block"
          data-ad-client="ca-pub-3129977114552745"
          data-ad-slot="6345125851"
          data-ad-format="auto"></ins>
     <script>
       (adsbygoogle = window.adsbygoogle || []).push({});
     </script>
     <nav class="magick-nav">
       <a class="magick-nav-item " href="../index.html">Home</a>
       <a class="magick-nav-item " href="binary-releases.html">Download</a>
       <a class="magick-nav-item " href="command-line-tools.html">Tools</a>
       <a class="magick-nav-item " href="command-line-processing.html">Command-line</a>
       <a class="magick-nav-item " href="resources.html">Resources</a>
       <a class="magick-nav-item " href="api.html">Develop</a>
       <a class="magick-nav-item " href="http://www.imagemagick.org/script/search.php">Search</a>
       <a class="magick-nav-item pull-right" href="https://www.imagemagick.org/discourse-server/">Community</a>
     </nav>
   </div>
 </div>
 <div class="container">
 <div class="magick-header">
 <p class="lead magick-description">ImageMagick includes a security policy configuration file, <code>policy.xml</code>. It is useful for limiting the resources consumed by ImageMagick and can help prevent a denial-of-service or other exploits.</p>

 <p>As an example, suppose you download an image from the internet and unbeknownst to you its been crafted to generate a 20000 by 20000 pixel image. ImageMagick attempts to allocate enough resources (memory, disk) and your system will likely deny the resource request and exit. However, its also possible that your computer might be temporarily sluggish or unavailable or ImageMagick may abort. To prevent such a scenario, you can set limits in the <code>policy.xml</code> configuration file. You may ask why ImageMagick does not already include reasonable limits? Simply because what is reasonable in your environment, might not be reasonable to someone else. We, for example, have access to a host with 1TB of memory whereas you may be running ImageMagick on an iPhone. If you utilize ImageMagick from a public website, you may want to increase security by preventing usage of the MVG or HTTPS coders. Only you can decide what are reasonable limits taking in consideration your environment. We provide this policy with reasonable limits and encourage you to use as a template for your own policy:</p>

 <pre class="pre-scrollable">
 &lt;policymap>
   &lt;policy domain="resource" name="temporary-path" value="/tmp"/>
   &lt;policy domain="resource" name="memory" value="256MiB"/>
   &lt;policy domain="resource" name="map" value="512MiB"/>
   &lt;policy domain="resource" name="width" value="8KP"/>
   &lt;policy domain="resource" name="height" value="8KP"/>
   &lt;policy domain="resource" name="area" value="128MB"/>
   &lt;policy domain="resource" name="disk" value="1GiB"/>
   &lt;policy domain="resource" name="file" value="768"/>
   &lt;policy domain="resource" name="thread" value="2"/>
   &lt;policy domain="resource" name="throttle" value="0"/>
   &lt;policy domain="resource" name="time" value="120"/>
   &lt;policy domain="system" name="precision" value="6"/>
   &lt;policy domain="cache" name="shared-secret" stealth="true" value="replace with your secret phrase"/>
   &lt;policy domain="coder" rights="none" pattern="MVG" />
   &lt;policy domain="delegate" rights="none" pattern="HTTPS" />  <!--  prevent 'curl' program from reading HTTPS URL's -->
   &lt;policy domain="path" rights="none" pattern="@*"/>  <!-- indirect reads not permitted -->
 &lt;/policymap>
 </pre>

 <p>Since we process multiple simultaneous sessions, we do not want any one session consuming all the available memory.With this policy, large images are cached to disk. If the image is too large and exceeds the pixel cache disk limit, the program exits. In addition, we place a time limit to prevent any run-away processing tasks. If any one image has a width or height that exceeds 8192 pixels, an exception is thrown and processing stops. As of ImageMagick 7.0.1-8 and 6.9.4-6, you can prevent the use of any delegate or all delegates (set the pattern to "*"). Note, prior to these releases, use a domain of <code>coder</code> to prevent delegate usage (e.g. <code>domain="coder" rights="none" pattern="HTTPS"</code>). The policy also prevents indirect reads. If you want to, for example, read text from a file (e.g. <code>caption:@myCaption.txt</code>), you'll need to remove this policy.</p>

 <p>Here is what you can expect when you restrict the HTTPS coder, for example:</p>

 <pre>
 $ convert https://www.imagemagick.org/images/wizard.png wizard.jpg
 convert: not authorized `HTTPS'
 convert: unable to open file: No such file or directory
 convert: no images defined `wizard.jpg'
 </pre>

 <p>You can verify your policy changes are in effect with this command:</p>

 <pre class="pre-scrollable">
 -> identify -list policy
 Path: ImageMagick/policy.xml
   Policy: Resource
     name: time
     value: 120
   Policy: Resource
     name: throttle
     value: 0
   Policy: Resource
     name: thread
     value: 2
   Policy: Resource
     name: file
     value: 768
   Policy: Resource
     name: disk
     value: 1GiB
   Policy: Resource
     name: map
     value: 512MiB
   Policy: Resource
     name: memory
     value: 256MiB
   Policy: Resource
     name: area
     value: 128MB
   Policy: Resource
     name: height
     value: 8KP
   Policy: Resource
     name: width
     value: 8KP
   Policy: Resource
     name: temporary-path
     value: /tmp
   Policy: System
     name: precision
     value: 6
   Policy: Cache
     name: shared-secret
     value: My voice is my passport.  Verify me.
   Policy: Path
     rights: None
     pattern: @*

 Path: [built-in]
   Policy: Undefined
     rights: None
 </pre>

 <p>For additional details about resource limits and the policy configuration file, read <a href="resources.html">Resources</a> and <a href="architecture.html">Architecture</a>.</p>
 </div>
   <footer class="magick-footer">
     <p><a href="support.html">Donate</a> •
      <a href="sitemap.html">Sitemap</a> •
     <a href="links.html">Related</a> •
     <a href="security-policy.html">Security</a> •
     <a href="architecture.html">Architecture</a>
 </p>
     <p><a href="security-policy.html#">Back to top</a> •
     <a href="http://pgp.mit.edu:11371/pks/lookup?op=get&amp;search=0x89AB63D48277377A">Public Key</a> •
     <a href="http://www.imagemagick.org/script/contact.php">Contact Us</a></p>
         <p><small>©  1999-2016 ImageMagick Studio LLC</small></p>
   </footer>
 </div><!-- /.container -->

   <script src="https://localhost/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
   <script src="../js/magick.html"></script>
 </div>
 </body>
 </html>




	<!DOCTYPE html>
	<html lang="en">
	<head>
	<title>ImageMagick: Security Policy</title>
	<meta charset="utf-8" />
	<meta http-equiv="X-UA-Compatible" content="IE=edge" />
	<meta name="viewport" content="width=device-width, initial-scale=1" />
	<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
	<meta name="application-name" content="ImageMagick"/>
	<meta name="description" content="ImageMagick® is a software suite to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, JPEG-2000, GIF, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves."/>
	<meta name="application-url" content="http://www.imagemagick.org"/>
	<meta name="generator" content="PHP"/>
	<meta name="keywords" content="security, policy, ImageMagick, PerlMagick, image processing, image, photo, software, Magick++, OpenMP, convert"/>
	<meta name="rating" content="GENERAL"/>
	<meta name="robots" content="INDEX, FOLLOW"/>
	<meta name="generator" content="ImageMagick Studio LLC"/>
	<meta name="author" content="ImageMagick Studio LLC"/>
	<meta name="revisit-after" content="2 DAYS"/>
	<meta name="resource-type" content="document"/>
	<meta name="copyright" content="Copyright (c) 1999-2016 ImageMagick Studio LLC"/>
	<meta name="distribution" content="Global"/>
	<meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1"/>
	<meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
	<link rel="icon" href="../images/wand.png"/>
	<link rel="shortcut icon" href="../images/wand.ico"/>
	<link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Roboto:900,400,400italic,700,700italic,300,300italic\|Open+Sans:300italic,400italic,700italic,300,400,600,700">
	<link rel="stylesheet" href="css/magick.css"/>
	</head>
	<body>
	<div class="main">
	<div class="magick-masthead">
	<div class="container">
	<script async="async" src="http://localhost/pagead/js/adsbygoogle.js"></script> <ins class="adsbygoogle"
	style="display:block"
	data-ad-client="ca-pub-3129977114552745"
	data-ad-slot="6345125851"
	data-ad-format="auto"></ins>
	<script>
	(adsbygoogle = window.adsbygoogle \|\| []).push({});
	</script>
	<nav class="magick-nav">
	<a class="magick-nav-item " href="../index.html">Home</a>
	<a class="magick-nav-item " href="binary-releases.html">Download</a>
	<a class="magick-nav-item " href="command-line-tools.html">Tools</a>
	<a class="magick-nav-item " href="command-line-processing.html">Command-line</a>
	<a class="magick-nav-item " href="resources.html">Resources</a>
	<a class="magick-nav-item " href="api.html">Develop</a>
	<a class="magick-nav-item " href="http://www.imagemagick.org/script/search.php">Search</a>
	<a class="magick-nav-item pull-right" href="https://www.imagemagick.org/discourse-server/">Community</a>
	</nav>
	</div>
	</div>
	<div class="container">
	<div class="magick-header">
	<p class="lead magick-description">ImageMagick includes a security policy configuration file, <code>policy.xml</code>. It is useful for limiting the resources consumed by ImageMagick and can help prevent a denial-of-service or other exploits.</p>

	<p>As an example, suppose you download an image from the internet and unbeknownst to you its been crafted to generate a 20000 by 20000 pixel image. ImageMagick attempts to allocate enough resources (memory, disk) and your system will likely deny the resource request and exit. However, its also possible that your computer might be temporarily sluggish or unavailable or ImageMagick may abort. To prevent such a scenario, you can set limits in the <code>policy.xml</code> configuration file. You may ask why ImageMagick does not already include reasonable limits? Simply because what is reasonable in your environment, might not be reasonable to someone else. We, for example, have access to a host with 1TB of memory whereas you may be running ImageMagick on an iPhone. If you utilize ImageMagick from a public website, you may want to increase security by preventing usage of the MVG or HTTPS coders. Only you can decide what are reasonable limits taking in consideration your environment. We provide this policy with reasonable limits and encourage you to use as a template for your own policy:</p>

	<pre class="pre-scrollable">
	<policymap>
	<policy domain="resource" name="temporary-path" value="/tmp"/>
	<policy domain="resource" name="memory" value="256MiB"/>
	<policy domain="resource" name="map" value="512MiB"/>
	<policy domain="resource" name="width" value="8KP"/>
	<policy domain="resource" name="height" value="8KP"/>
	<policy domain="resource" name="area" value="128MB"/>
	<policy domain="resource" name="disk" value="1GiB"/>
	<policy domain="resource" name="file" value="768"/>
	<policy domain="resource" name="thread" value="2"/>
	<policy domain="resource" name="throttle" value="0"/>
	<policy domain="resource" name="time" value="120"/>
	<policy domain="system" name="precision" value="6"/>
	<policy domain="cache" name="shared-secret" stealth="true" value="replace with your secret phrase"/>
	<policy domain="coder" rights="none" pattern="MVG" />
	<policy domain="delegate" rights="none" pattern="HTTPS" /> <!-- prevent 'curl' program from reading HTTPS URL's -->
	<policy domain="path" rights="none" pattern="@*"/> <!-- indirect reads not permitted -->
	</policymap>
	</pre>

	<p>Since we process multiple simultaneous sessions, we do not want any one session consuming all the available memory.With this policy, large images are cached to disk. If the image is too large and exceeds the pixel cache disk limit, the program exits. In addition, we place a time limit to prevent any run-away processing tasks. If any one image has a width or height that exceeds 8192 pixels, an exception is thrown and processing stops. As of ImageMagick 7.0.1-8 and 6.9.4-6, you can prevent the use of any delegate or all delegates (set the pattern to "*"). Note, prior to these releases, use a domain of <code>coder</code> to prevent delegate usage (e.g. <code>domain="coder" rights="none" pattern="HTTPS"</code>). The policy also prevents indirect reads. If you want to, for example, read text from a file (e.g. <code>caption:@myCaption.txt</code>), you'll need to remove this policy.</p>

	<p>Here is what you can expect when you restrict the HTTPS coder, for example:</p>

	<pre>
	$ convert https://www.imagemagick.org/images/wizard.png wizard.jpg
	convert: not authorized `HTTPS'
	convert: unable to open file: No such file or directory
	convert: no images defined `wizard.jpg'
	</pre>

	<p>You can verify your policy changes are in effect with this command:</p>

	<pre class="pre-scrollable">
	-> identify -list policy
	Path: ImageMagick/policy.xml
	Policy: Resource
	name: time
	value: 120
	Policy: Resource
	name: throttle
	value: 0
	Policy: Resource
	name: thread
	value: 2
	Policy: Resource
	name: file
	value: 768
	Policy: Resource
	name: disk
	value: 1GiB
	Policy: Resource
	name: map
	value: 512MiB
	Policy: Resource
	name: memory
	value: 256MiB
	Policy: Resource
	name: area
	value: 128MB
	Policy: Resource
	name: height
	value: 8KP
	Policy: Resource
	name: width
	value: 8KP
	Policy: Resource
	name: temporary-path
	value: /tmp
	Policy: System
	name: precision
	value: 6
	Policy: Cache
	name: shared-secret
	value: My voice is my passport. Verify me.
	Policy: Path
	rights: None
	pattern: @*

	Path: [built-in]
	Policy: Undefined
	rights: None
	</pre>

	<p>For additional details about resource limits and the policy configuration file, read <a href="resources.html">Resources</a> and <a href="architecture.html">Architecture</a>.</p>
	</div>
	<footer class="magick-footer">
	<p><a href="support.html">Donate</a> •
	<a href="sitemap.html">Sitemap</a> •
	<a href="links.html">Related</a> •
	<a href="security-policy.html">Security</a> •
	<a href="architecture.html">Architecture</a>
	</p>
	<p><a href="security-policy.html#">Back to top</a> •
	<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x89AB63D48277377A">Public Key</a> •
	<a href="http://www.imagemagick.org/script/contact.php">Contact Us</a></p>
	<p><small>© 1999-2016 ImageMagick Studio LLC</small></p>
	</footer>
	</div><!-- /.container -->

	<script src="https://localhost/ajax/libs/jquery/1.11.3/jquery.min.js"></script>
	<script src="../js/magick.html"></script>
	</div>
	</body>
	</html>