www/security-policy.html - platform/external/ImageMagick - Git at Google



 <!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="utf-8"  />
   <meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,shrink-to-fit=no"  />
   <title>Security Policy @ ImageMagick</title>
   <meta name="application-name" content="ImageMagick" />
   <meta name="description" content="Use ImageMagick® to create, edit, compose, or convert bitmap images. You can resize your image, crop it, change its shades and colors, add captions, among other operations." />
   <meta name="application-url" content="https://imagemagick.org" />
   <meta name="generator" content="PHP" />
   <meta name="keywords" content="security, policy, ImageMagick, PerlMagick, image processing, image, photo, software, Magick++, OpenMP, convert" />
   <meta name="rating" content="GENERAL" />
   <meta name="robots" content="INDEX, FOLLOW" />
   <meta name="generator" content="ImageMagick Studio LLC" />
   <meta name="author" content="ImageMagick Studio LLC" />
   <meta name="revisit-after" content="2 DAYS" />
   <meta name="resource-type" content="document" />
   <meta name="copyright" content="Copyright (c) 1999-2019 ImageMagick Studio LLC" />
   <meta name="distribution" content="Global" />
   <meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1" />
   <meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
   <link href="../www/security-policy.html" rel="canonical" />
   <link href="../images/wand.png" rel="icon" />
   <link href="../images/wand.ico" rel="shortcut icon" />
   <link href="assets/magick.css" rel="stylesheet" />
 </head>
 <body>
   <header>
   <nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark">
     <a class="navbar-brand" href="../index.html"><img class="d-block" id="icon" alt="ImageMagick" width="32" height="32" src="../images/wand.ico"/></a>
     <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarsMagick" aria-controls="navbarsMagick" aria-expanded="false" aria-label="Toggle navigation">
       <span class="navbar-toggler-icon"></span>
     </button>

     <div class="navbar-collapse collapse" id="navbarsMagick" style="">
     <ul class="navbar-nav mr-auto">
       <li class="nav-item ">
         <a class="nav-link" href="../index.html">Home <span class="sr-only">(current)</span></a>
       </li>
       <li class="nav-item ">
         <a class="nav-link" href="download.html">Download</a>
       </li>
       <li class="nav-item ">
         <a class="nav-link" href="command-line-tools.html">Tools</a>
       </li>
       <li class="nav-item ">
         <a class="nav-link" href="command-line-processing.html">Command-line</a>
       </li>
       <li class="nav-item ">
         <a class="nav-link" href="resources.html">Resources</a>
       </li>
       <li class="nav-item ">
         <a class="nav-link" href="develop.html">Develop</a>
       </li>
       <li class="nav-item">
         <a class="nav-link" target="_blank" href="https://imagemagick.org/discourse-server/">Community</a>
       </li>
     </ul>
     <form class="form-inline my-2 my-lg-0" action="https://imagemagick.org/script/search.php">
       <input class="form-control mr-sm-2" type="text" name="q" placeholder="Search" aria-label="Search">
       <button class="btn btn-outline-success my-2 my-sm-0" type="submit" name="sa">Search</button>
     </form>
     </div>
   </nav>
   <div class="container">
    <script async="async" src="http://localhost/pagead/js/adsbygoogle.js"></script>    <ins class="adsbygoogle"
          style="display:block"
          data-ad-client="ca-pub-3129977114552745"
          data-ad-slot="6345125851"
          data-ad-format="auto"></ins>
     <script>
       (adsbygoogle = window.adsbygoogle || []).push({});
     </script>

   </div>
   </header>
   <main class="container">
     <div class="magick-template">
 <div class="magick-header">
 <p class="text-center"><a href="security-policy.html#policy">Security Policy </a> • <a href="security-policy.html#synchronize">Pixel Cache Synchronize Policy</a> • <a href="security-policy.html#zero-configuration">Zero Configuration Security Policy</a> • <a href="security-policy.html#other">Other Security Considerations</a></p>


 <p class="lead magick-description">ImageMagick best practices strongly encourages you to configure a security <a href="https://imagemagick.org/source/policy.xml">policy.xml</a> that suits your local environment.  The policy is open by default.  This affords maximum utility for ImageMagick installations that run in a sandboxed environment, perhaps in a Docker instance, or behind a firewall where security risks are greatly diminished as opposed to a public website.</p>

 <p>Security is a trade-off between a secure environment and convenience. If you want ImageMagick to be optimally secure, you could, for example, limit ImageMagick to only read or write web safe images (e.g. GIF, JPEG, PNG).   However, ImageMagick provides for a more secure option by adjusting the security policy per the requirements of your local environment or organizational policies. The security policy covers areas such as memory, which paths to read or write, how many images are permitted in an image sequence, how long a workflow can run, how much disk the image pixels can consume, a secret passphrase for remote connections, which coders are permitted or denied, and others. These policies should provide robust coverage to not only secure your environment per your requirements but also ensure ImageMagick remains a good citizen (e.g. prevent thrashing with large images) in your local environment.</p>

 <p>As an example, suppose you download an image from the internet and unbeknownst to you its been crafted to generate a 20000 by 20000 pixel image. ImageMagick attempts to allocate enough resources (memory, disk) and your system will likely deny the resource request and exit. However, its also possible that your computer might be temporarily sluggish or unavailable or ImageMagick may abort. To prevent such a scenario, you can set limits in the <code>policy.xml</code> configuration file. You might wonder why ImageMagick does not already include reasonable limits? Simply because what is reasonable in your environment, might not be reasonable to someone else. For example, you may have ImageMagick sandboxed where security is not a concern, whereas another user may use ImageMagick to process images on their publically accessible website.  Or ImageMagick runs on a host with 1TB of memory whereas another ImageMagick instance runs on an iPhone. By policy, permitting giga-pixel image processing on the large memory host makes sense, not so much for the resource constrained iPhone. If you utilize ImageMagick from a public website, you may want to increase security by preventing usage of the MVG or HTTPS coders. Only you can decide what are reasonable limits taking in consideration your environment. We provide this policy with reasonable limits and encourage you to modify it to suit your local environment:</p>

 <pre class="pre-scrollable"><code>&lt;policymap>
   &lt;policy domain="resource" name="temporary-path" value="/tmp"/>
   &lt;policy domain="resource" name="memory" value="256MiB"/>
   &lt;policy domain="resource" name="map" value="512MiB"/>
   &lt;policy domain="resource" name="width" value="8KP"/>
   &lt;policy domain="resource" name="height" value="8KP"/>
   &lt;policy domain="resource" name="area" value="16KP"/>
   &lt;policy domain="resource" name="disk" value="1GiB"/>
   &lt;policy domain="resource" name="file" value="768"/>
   &lt;policy domain="resource" name="thread" value="2"/>
   &lt;policy domain="resource" name="throttle" value="0"/>
   &lt;policy domain="resource" name="time" value="120"/>
   &lt;policy domain="resource" name="list-length" value="128"/>
   &lt;policy domain="system" name="precision" value="6"/>
   &lt;policy domain="cache" name="shared-secret" stealth="true" value="replace with your secret phrase"/>
   &lt;policy domain="coder" rights="none" pattern="MVG" />
   &lt;policy domain="coder" rights="none" pattern="EPS" />
   &lt;policy domain="coder" rights="none" pattern="PS" />
   &lt;policy domain="coder" rights="none" pattern="PS2" />
   &lt;policy domain="coder" rights="none" pattern="PS3" />
   &lt;policy domain="coder" rights="none" pattern="PDF" />
   &lt;policy domain="coder" rights="none" pattern="XPS" />
   &lt;policy domain="filter" rights="none" pattern="*" />
   &lt;policy domain="delegate" rights="none" pattern="HTTPS" />  <!--  prevent 'curl' program from reading HTTPS URL's -->
   &lt;policy domain="path" rights="none" pattern="@*"/>  <!-- indirect reads not permitted -->
 &lt;/policymap></code></pre>

 <p>Since we process multiple simultaneous sessions, we do not want any one session consuming all the available memory. With this policy, large images are cached to disk. If the image is too large and exceeds the pixel cache disk limit, the program exits. In addition, we place a time limit to prevent any run-away processing tasks. If any one image has a width or height that exceeds 8192 pixels or if an image sequence exceeds 128 frames, an exception is thrown and processing stops. As of ImageMagick 7.0.1-8 and 6.9.4-6, you can prevent the use of any delegate or all delegates (set the pattern to "*"). Note, prior to these releases, use a domain of <code>coder</code> to prevent delegate usage (e.g. <code>domain="coder" rights="none" pattern="HTTPS"</code>). We prevent users from executing any image filters.  The policy also prevents indirect reads. If you want to, for example, read text from a file (e.g. <code>caption:@myCaption.txt</code>), you'll need to disable the <code>path</code> policy.</p>

 <p>Policy patterns are <em>case sensitive</em>.  To get expected behavior, coders and modules must be upper-case (e.g. "EPS" not "eps").</p>

 <p>Here is what you can expect when you restrict the HTTPS coder, for example:</p>

 <pre class="highlight">-> convert ../images/wizard.png wizard.jpg
 convert: attempt to perform an operation not allowed by the security policy `HTTPS'
 convert: unable to open file: No such file or directory
 convert: no images defined `wizard.jpg'</pre>

 <p>As of ImageMagick version 7.0.4-7, you can conveniently deny access to all delegates and coders except for a small subset of proven web-safe image types.  For example,</p>

 <pre class="highlight"><code>&lt;policy domain="delegate" rights="none" pattern="*" />
 &lt;policy domain="coder" rights="none" pattern="*" />
 &lt;policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" /></code></pre>

 <p>Here we disable just a few Postscript related formats:</p>
 <pre class="highlight"><code>&lt;policy domain="coder" rights="none" pattern="{EPS,PS2,PS3,PS,PDF,XPS}" /></code></pre>

 <p>As of ImageMagick 7.0.7-0, you can allocate the pixel cache and some internal buffers with anonymous memory mapping rather than from heap.  As a consequence, the pixels are initialized to zero.  You can also securely delete any temporary files for increased security.  The value is the number of times to shred (replace its content with random data) before deleting a temporary file.  For example,</p>
 <pre class="highlight"><code>&lt;policy domain="system" name="memory-map" value="anonymous"/>
 &lt;policy domain="cache" name="memory-map" value="anonymous"/>
 &lt;policy domain="system" name="shred" value="1"/></code></pre>

 <p>Some image processing algorithms (e.g. wavelet transform) might consume a substantial amount of memory to complete.  ImageMagick maintains a separate memory pool for these large resource requests and as of 7.0.6-1 permits you to set a maximum request limit.  If the limit is exceeded, the allocation is instead memory-mapped on disk.  Here we limit the maximum memory request by policy:</p>
 <pre class="highlight"><code>&lt;policy domain="system" name="max-memory-request" value="256MiB"/> </code></pre>

 <p>As of ImageMagick version 7.0.4-23, you can limit the maximum number of images in a sequence.  For example, to limit an image sequence to 64 frames, use:</p>
 <pre class="highlight"><code>&lt;policy domain="resource" name="list-length" value="64"/></code></pre>

 <p>You can verify your policy changes are in effect with this command:</p>

 <pre class="pre-scrollable">-> identify -list policy
 Path: ImageMagick/policy.xml
   Policy: Resource
     name: time
     value: 120
   Policy: Resource
     name: throttle
     value: 0
   Policy: Resource
     name: thread
     value: 2
   Policy: Resource
     name: file
     value: 768
   Policy: Resource
     name: disk
     value: 1GiB
   Policy: Resource
     name: map
     value: 512MiB
   Policy: Resource
     name: memory
     value: 256MiB
   Policy: Resource
     name: area
     value: 16KP
   Policy: Resource
     name: height
     value: 8KP
   Policy: Resource
     name: width
     value: 8KP
   Policy: Resource
     name: temporary-path
     value: /tmp
   Policy: System
     name: precision
     value: 6
   Policy: Path
     rights: None
     pattern: @*

 Path: [built-in]
   Policy: Undefined
     rights: None</pre>
 <p>Notice the <code>Cache</code> policy is not listed due to the <code>stealth</code> property.</p>

 <p>As of ImageMagick 7.0.6-0, you can programmatically set the ImageMagick security policy with SetMagickSecurityPolicy() (MagickCore) or MagickSetSecurityPolicy() (MagickWand).</p>

 <p>As of ImageMagick version 7.0.8-11, you can set a module security policy.  For example, to prevent Postscript or PDF interpretation, use:</p>
 <pre class="highlight"><code>&lt;policy domain="module" rights="none" pattern="{ps,pdf,xps}/></code></pre>

 <p>For additional details about resource limits and the policy configuration file, read <a href="resources.html">Resources</a> and <a href="architecture.html">Architecture</a>.</p>

 <h2><a class="anchor" id="synchronize"></a>Pixel Cache Synchronize Policy</h2>

 <p>When writing image pixels to disk, ImageMagick firsts preallocates the disk file, which is much faster than fully populating the file with zeros.  To further increase performance, we memory-map the file on disk.  With memory-mapping, we get an increase in performance (up to 5x), however, there remains a possibility that as the disk file is populated, it may run out of free space.  The OS then throws a SIGBUS signal which prevents ImageMagick from continuing.  To prevent a SIGBUS, use this security policy:

 <pre class="highlight">
 &lt;policy domain="cache" name="synchronize" value="True"/>
 </pre>

 <p>Set to True to ensure all image data is fully flushed and synchronized to disk. There is a performance penalty, however, the benefits include ensuring a valid image file in the event of a system crash and early reporting if there is not enough disk space for the image pixel cache.</p>

 <h2><a class="anchor" id="zero-configuration"></a>Zero Configuration Security Policy</h2>

 <p>A zero configuration build of ImageMagick does not permit external configuration files.  To define your security policy, you must instead edit the <code>MagickCore/policy-private.h</code> source module, add your policy statements, and then build the ImageMagick distribution.  Here is an example zero configuration security policy:</p>

 <pre class="highlight"><code>static const char
   *ZeroConfigurationPolicy = \
 "&lt;policymap> \
   &lt;policy domain=\"coder\" rights=\"none\" pattern=\"MVG\"/> \
 &lt;/policymap>";</code></pre>

 <h2><a class="anchor" id="other"></a>Other Security Considerations</h2>

 <p>If you spot a security flaw in ImageMagick, post your concern as an issue to
 <a href="https://github.com/ImageMagick/ImageMagick/issues">GitHub</a>.  Be sure to include how to reproduce the security flaw and a link to any images needed to reproduce the flaw.  Alternatively, <a href="https://imagemagick.org/script/contact.php">contact us</a> and select Security Issue as the issue.</p>

 <p>In addition to the security policy, you can make ImageMagick safer by ...</p>
 <ul>
 <li>keeping ImageMagick up-to-date.  The latest releases have fixes for any security flaws we discovered in the past;</li>
 <li>sanitizing any filenames or command line options you pass to ImageMagick;</li>
 <li>running ImageMagick in a sanitized software container such as Docker;</li>
 <li>running ImageMagick as the least-privileged user (e.g. 'nobody');</li>
 <li>explicitly setting the image file type.  For example, use the filename <code>png:image.png</code> rather than <code>image.png</code>.  Without an explicit image type in the filename, ImageMagick guesses the image type.</li>
 </ul>

 </div>
     </div>
   </main><!-- /.container -->
   <footer class="magick-footer">
     <p><a href="security-policy.html">Security</a> •
     <a href="architecture.html">Architecture</a> •
     <a href="links.html">Related</a> •
      <a href="sitemap.html">Sitemap</a>

     <a href="security-policy.html#"><img class="d-inline" id="wand" alt="And Now a Touch of Magick" width="16" height="16" src="../images/wand.ico"/></a>

     <a href="http://pgp.mit.edu/pks/lookup?op=get&amp;search=0x89AB63D48277377A">Public Key</a> •
     <a href="support.html">Donate</a> •
     <a href="https://imagemagick.org/script/contact.php">Contact Us</a>
     <br/>
     <small>© 1999-2019 ImageMagick Studio LLC</small></p>
   </footer>

   <!-- Javascript assets -->
   <script src="assets/magick.js" crossorigin="anonymous"></script>
   <script>window.jQuery || document.write('<script src="https://localhost/ajax/libs/jquery/3.3.1/jquery.min.js"><\/script>')</script>
 </body>
 </html>
 <!-- Magick Cache 5th January 2019 11:42 -->




	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="utf-8" />
	<meta name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,shrink-to-fit=no" />
	<title>Security Policy @ ImageMagick</title>
	<meta name="application-name" content="ImageMagick" />
	<meta name="description" content="Use ImageMagick® to create, edit, compose, or convert bitmap images. You can resize your image, crop it, change its shades and colors, add captions, among other operations." />
	<meta name="application-url" content="https://imagemagick.org" />
	<meta name="generator" content="PHP" />
	<meta name="keywords" content="security, policy, ImageMagick, PerlMagick, image processing, image, photo, software, Magick++, OpenMP, convert" />
	<meta name="rating" content="GENERAL" />
	<meta name="robots" content="INDEX, FOLLOW" />
	<meta name="generator" content="ImageMagick Studio LLC" />
	<meta name="author" content="ImageMagick Studio LLC" />
	<meta name="revisit-after" content="2 DAYS" />
	<meta name="resource-type" content="document" />
	<meta name="copyright" content="Copyright (c) 1999-2019 ImageMagick Studio LLC" />
	<meta name="distribution" content="Global" />
	<meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1" />
	<meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
	<link href="../www/security-policy.html" rel="canonical" />
	<link href="../images/wand.png" rel="icon" />
	<link href="../images/wand.ico" rel="shortcut icon" />
	<link href="assets/magick.css" rel="stylesheet" />
	</head>
	<body>
	<header>
	<nav class="navbar navbar-expand-md navbar-dark fixed-top bg-dark">
	<a class="navbar-brand" href="../index.html"><img class="d-block" id="icon" alt="ImageMagick" width="32" height="32" src="../images/wand.ico"/></a>
	<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarsMagick" aria-controls="navbarsMagick" aria-expanded="false" aria-label="Toggle navigation">
	<span class="navbar-toggler-icon"></span>
	</button>

	<div class="navbar-collapse collapse" id="navbarsMagick" style="">
	<ul class="navbar-nav mr-auto">
	<li class="nav-item ">
	<a class="nav-link" href="../index.html">Home <span class="sr-only">(current)</span></a>
	</li>
	<li class="nav-item ">
	<a class="nav-link" href="download.html">Download</a>
	</li>
	<li class="nav-item ">
	<a class="nav-link" href="command-line-tools.html">Tools</a>
	</li>
	<li class="nav-item ">
	<a class="nav-link" href="command-line-processing.html">Command-line</a>
	</li>
	<li class="nav-item ">
	<a class="nav-link" href="resources.html">Resources</a>
	</li>
	<li class="nav-item ">
	<a class="nav-link" href="develop.html">Develop</a>
	</li>
	<li class="nav-item">
	<a class="nav-link" target="_blank" href="https://imagemagick.org/discourse-server/">Community</a>
	</li>
	</ul>
	<form class="form-inline my-2 my-lg-0" action="https://imagemagick.org/script/search.php">
	<input class="form-control mr-sm-2" type="text" name="q" placeholder="Search" aria-label="Search">
	<button class="btn btn-outline-success my-2 my-sm-0" type="submit" name="sa">Search</button>
	</form>
	</div>
	</nav>
	<div class="container">
	<script async="async" src="http://localhost/pagead/js/adsbygoogle.js"></script> <ins class="adsbygoogle"
	style="display:block"
	data-ad-client="ca-pub-3129977114552745"
	data-ad-slot="6345125851"
	data-ad-format="auto"></ins>
	<script>
	(adsbygoogle = window.adsbygoogle \|\| []).push({});
	</script>

	</div>
	</header>
	<main class="container">
	<div class="magick-template">
	<div class="magick-header">
	<p class="text-center"><a href="security-policy.html#policy">Security Policy </a> • <a href="security-policy.html#synchronize">Pixel Cache Synchronize Policy</a> • <a href="security-policy.html#zero-configuration">Zero Configuration Security Policy</a> • <a href="security-policy.html#other">Other Security Considerations</a></p>


	<p class="lead magick-description">ImageMagick best practices strongly encourages you to configure a security <a href="https://imagemagick.org/source/policy.xml">policy.xml</a> that suits your local environment. The policy is open by default. This affords maximum utility for ImageMagick installations that run in a sandboxed environment, perhaps in a Docker instance, or behind a firewall where security risks are greatly diminished as opposed to a public website.</p>

	<p>Security is a trade-off between a secure environment and convenience. If you want ImageMagick to be optimally secure, you could, for example, limit ImageMagick to only read or write web safe images (e.g. GIF, JPEG, PNG). However, ImageMagick provides for a more secure option by adjusting the security policy per the requirements of your local environment or organizational policies. The security policy covers areas such as memory, which paths to read or write, how many images are permitted in an image sequence, how long a workflow can run, how much disk the image pixels can consume, a secret passphrase for remote connections, which coders are permitted or denied, and others. These policies should provide robust coverage to not only secure your environment per your requirements but also ensure ImageMagick remains a good citizen (e.g. prevent thrashing with large images) in your local environment.</p>

	<p>As an example, suppose you download an image from the internet and unbeknownst to you its been crafted to generate a 20000 by 20000 pixel image. ImageMagick attempts to allocate enough resources (memory, disk) and your system will likely deny the resource request and exit. However, its also possible that your computer might be temporarily sluggish or unavailable or ImageMagick may abort. To prevent such a scenario, you can set limits in the <code>policy.xml</code> configuration file. You might wonder why ImageMagick does not already include reasonable limits? Simply because what is reasonable in your environment, might not be reasonable to someone else. For example, you may have ImageMagick sandboxed where security is not a concern, whereas another user may use ImageMagick to process images on their publically accessible website. Or ImageMagick runs on a host with 1TB of memory whereas another ImageMagick instance runs on an iPhone. By policy, permitting giga-pixel image processing on the large memory host makes sense, not so much for the resource constrained iPhone. If you utilize ImageMagick from a public website, you may want to increase security by preventing usage of the MVG or HTTPS coders. Only you can decide what are reasonable limits taking in consideration your environment. We provide this policy with reasonable limits and encourage you to modify it to suit your local environment:</p>

	<pre class="pre-scrollable"><code><policymap>
	<policy domain="resource" name="temporary-path" value="/tmp"/>
	<policy domain="resource" name="memory" value="256MiB"/>
	<policy domain="resource" name="map" value="512MiB"/>
	<policy domain="resource" name="width" value="8KP"/>
	<policy domain="resource" name="height" value="8KP"/>
	<policy domain="resource" name="area" value="16KP"/>
	<policy domain="resource" name="disk" value="1GiB"/>
	<policy domain="resource" name="file" value="768"/>
	<policy domain="resource" name="thread" value="2"/>
	<policy domain="resource" name="throttle" value="0"/>
	<policy domain="resource" name="time" value="120"/>
	<policy domain="resource" name="list-length" value="128"/>
	<policy domain="system" name="precision" value="6"/>
	<policy domain="cache" name="shared-secret" stealth="true" value="replace with your secret phrase"/>
	<policy domain="coder" rights="none" pattern="MVG" />
	<policy domain="coder" rights="none" pattern="EPS" />
	<policy domain="coder" rights="none" pattern="PS" />
	<policy domain="coder" rights="none" pattern="PS2" />
	<policy domain="coder" rights="none" pattern="PS3" />
	<policy domain="coder" rights="none" pattern="PDF" />
	<policy domain="coder" rights="none" pattern="XPS" />
	<policy domain="filter" rights="none" pattern="*" />
	<policy domain="delegate" rights="none" pattern="HTTPS" /> <!-- prevent 'curl' program from reading HTTPS URL's -->
	<policy domain="path" rights="none" pattern="@*"/> <!-- indirect reads not permitted -->
	</policymap></code></pre>

	<p>Since we process multiple simultaneous sessions, we do not want any one session consuming all the available memory. With this policy, large images are cached to disk. If the image is too large and exceeds the pixel cache disk limit, the program exits. In addition, we place a time limit to prevent any run-away processing tasks. If any one image has a width or height that exceeds 8192 pixels or if an image sequence exceeds 128 frames, an exception is thrown and processing stops. As of ImageMagick 7.0.1-8 and 6.9.4-6, you can prevent the use of any delegate or all delegates (set the pattern to "*"). Note, prior to these releases, use a domain of <code>coder</code> to prevent delegate usage (e.g. <code>domain="coder" rights="none" pattern="HTTPS"</code>). We prevent users from executing any image filters. The policy also prevents indirect reads. If you want to, for example, read text from a file (e.g. <code>caption:@myCaption.txt</code>), you'll need to disable the <code>path</code> policy.</p>

	<p>Policy patterns are <em>case sensitive</em>. To get expected behavior, coders and modules must be upper-case (e.g. "EPS" not "eps").</p>

	<p>Here is what you can expect when you restrict the HTTPS coder, for example:</p>

	<pre class="highlight">-> convert ../images/wizard.png wizard.jpg
	convert: attempt to perform an operation not allowed by the security policy `HTTPS'
	convert: unable to open file: No such file or directory
	convert: no images defined `wizard.jpg'</pre>

	<p>As of ImageMagick version 7.0.4-7, you can conveniently deny access to all delegates and coders except for a small subset of proven web-safe image types. For example,</p>

	<pre class="highlight"><code><policy domain="delegate" rights="none" pattern="*" />
	<policy domain="coder" rights="none" pattern="*" />
	<policy domain="coder" rights="read \| write" pattern="{GIF,JPEG,PNG,WEBP}" /></code></pre>

	<p>Here we disable just a few Postscript related formats:</p>
	<pre class="highlight"><code><policy domain="coder" rights="none" pattern="{EPS,PS2,PS3,PS,PDF,XPS}" /></code></pre>

	<p>As of ImageMagick 7.0.7-0, you can allocate the pixel cache and some internal buffers with anonymous memory mapping rather than from heap. As a consequence, the pixels are initialized to zero. You can also securely delete any temporary files for increased security. The value is the number of times to shred (replace its content with random data) before deleting a temporary file. For example,</p>
	<pre class="highlight"><code><policy domain="system" name="memory-map" value="anonymous"/>
	<policy domain="cache" name="memory-map" value="anonymous"/>
	<policy domain="system" name="shred" value="1"/></code></pre>

	<p>Some image processing algorithms (e.g. wavelet transform) might consume a substantial amount of memory to complete. ImageMagick maintains a separate memory pool for these large resource requests and as of 7.0.6-1 permits you to set a maximum request limit. If the limit is exceeded, the allocation is instead memory-mapped on disk. Here we limit the maximum memory request by policy:</p>
	<pre class="highlight"><code><policy domain="system" name="max-memory-request" value="256MiB"/> </code></pre>

	<p>As of ImageMagick version 7.0.4-23, you can limit the maximum number of images in a sequence. For example, to limit an image sequence to 64 frames, use:</p>
	<pre class="highlight"><code><policy domain="resource" name="list-length" value="64"/></code></pre>

	<p>You can verify your policy changes are in effect with this command:</p>

	<pre class="pre-scrollable">-> identify -list policy
	Path: ImageMagick/policy.xml
	Policy: Resource
	name: time
	value: 120
	Policy: Resource
	name: throttle
	value: 0
	Policy: Resource
	name: thread
	value: 2
	Policy: Resource
	name: file
	value: 768
	Policy: Resource
	name: disk
	value: 1GiB
	Policy: Resource
	name: map
	value: 512MiB
	Policy: Resource
	name: memory
	value: 256MiB
	Policy: Resource
	name: area
	value: 16KP
	Policy: Resource
	name: height
	value: 8KP
	Policy: Resource
	name: width
	value: 8KP
	Policy: Resource
	name: temporary-path
	value: /tmp
	Policy: System
	name: precision
	value: 6
	Policy: Path
	rights: None
	pattern: @*

	Path: [built-in]
	Policy: Undefined
	rights: None</pre>
	<p>Notice the <code>Cache</code> policy is not listed due to the <code>stealth</code> property.</p>

	<p>As of ImageMagick 7.0.6-0, you can programmatically set the ImageMagick security policy with SetMagickSecurityPolicy() (MagickCore) or MagickSetSecurityPolicy() (MagickWand).</p>

	<p>As of ImageMagick version 7.0.8-11, you can set a module security policy. For example, to prevent Postscript or PDF interpretation, use:</p>
	<pre class="highlight"><code><policy domain="module" rights="none" pattern="{ps,pdf,xps}/></code></pre>

	<p>For additional details about resource limits and the policy configuration file, read <a href="resources.html">Resources</a> and <a href="architecture.html">Architecture</a>.</p>

	<h2><a class="anchor" id="synchronize"></a>Pixel Cache Synchronize Policy</h2>

	<p>When writing image pixels to disk, ImageMagick firsts preallocates the disk file, which is much faster than fully populating the file with zeros. To further increase performance, we memory-map the file on disk. With memory-mapping, we get an increase in performance (up to 5x), however, there remains a possibility that as the disk file is populated, it may run out of free space. The OS then throws a SIGBUS signal which prevents ImageMagick from continuing. To prevent a SIGBUS, use this security policy:

	<pre class="highlight">
	<policy domain="cache" name="synchronize" value="True"/>
	</pre>

	<p>Set to True to ensure all image data is fully flushed and synchronized to disk. There is a performance penalty, however, the benefits include ensuring a valid image file in the event of a system crash and early reporting if there is not enough disk space for the image pixel cache.</p>

	<h2><a class="anchor" id="zero-configuration"></a>Zero Configuration Security Policy</h2>

	<p>A zero configuration build of ImageMagick does not permit external configuration files. To define your security policy, you must instead edit the <code>MagickCore/policy-private.h</code> source module, add your policy statements, and then build the ImageMagick distribution. Here is an example zero configuration security policy:</p>

	<pre class="highlight"><code>static const char
	*ZeroConfigurationPolicy = \
	"<policymap> \
	<policy domain=\"coder\" rights=\"none\" pattern=\"MVG\"/> \
	</policymap>";</code></pre>

	<h2><a class="anchor" id="other"></a>Other Security Considerations</h2>

	<p>If you spot a security flaw in ImageMagick, post your concern as an issue to
	<a href="https://github.com/ImageMagick/ImageMagick/issues">GitHub</a>. Be sure to include how to reproduce the security flaw and a link to any images needed to reproduce the flaw. Alternatively, <a href="https://imagemagick.org/script/contact.php">contact us</a> and select Security Issue as the issue.</p>

	<p>In addition to the security policy, you can make ImageMagick safer by ...</p>
	<ul>
	<li>keeping ImageMagick up-to-date. The latest releases have fixes for any security flaws we discovered in the past;</li>
	<li>sanitizing any filenames or command line options you pass to ImageMagick;</li>
	<li>running ImageMagick in a sanitized software container such as Docker;</li>
	<li>running ImageMagick as the least-privileged user (e.g. 'nobody');</li>
	<li>explicitly setting the image file type. For example, use the filename <code>png:image.png</code> rather than <code>image.png</code>. Without an explicit image type in the filename, ImageMagick guesses the image type.</li>
	</ul>

	</div>
	</div>
	</main><!-- /.container -->
	<footer class="magick-footer">
	<p><a href="security-policy.html">Security</a> •
	<a href="architecture.html">Architecture</a> •
	<a href="links.html">Related</a> •
	<a href="sitemap.html">Sitemap</a>

	<a href="security-policy.html#"><img class="d-inline" id="wand" alt="And Now a Touch of Magick" width="16" height="16" src="../images/wand.ico"/></a>

	<a href="http://pgp.mit.edu/pks/lookup?op=get&search=0x89AB63D48277377A">Public Key</a> •
	<a href="support.html">Donate</a> •
	<a href="https://imagemagick.org/script/contact.php">Contact Us</a>
	<br/>
	<small>© 1999-2019 ImageMagick Studio LLC</small></p>
	</footer>

	<!-- Javascript assets -->
	<script src="assets/magick.js" crossorigin="anonymous"></script>
	<script>window.jQuery \|\| document.write('<script src="https://localhost/ajax/libs/jquery/3.3.1/jquery.min.js"><\/script>')</script>
	</body>
	</html>
	<!-- Magick Cache 5th January 2019 11:42 -->