diff options
author | Cristy <urban-warrior@imagemagick.org> | 2018-08-24 20:43:50 -0400 |
---|---|---|
committer | Cristy <urban-warrior@imagemagick.org> | 2018-08-24 20:44:35 -0400 |
commit | c809ff7b9a0298cb5288399dd1ae495e2712d4ef (patch) | |
tree | 8393a7c1f94a7316c53697b8df838ebe9ca9068f | |
parent | fd9289abe5e4b71273c9856a9df371319adb5a8c (diff) | |
download | ImageMagick-c809ff7b9a0298cb5288399dd1ae495e2712d4ef.tar.gz |
Support "module" security policy
-rw-r--r-- | MagickCore/module.c | 27 | ||||
-rw-r--r-- | MagickCore/option.c | 1 | ||||
-rw-r--r-- | MagickCore/policy.c | 1 | ||||
-rw-r--r-- | MagickCore/policy.h | 3 | ||||
-rw-r--r-- | config/policy.xml | 1 |
5 files changed, 24 insertions, 9 deletions
diff --git a/MagickCore/module.c b/MagickCore/module.c index 29cf57672..2baffed84 100644 --- a/MagickCore/module.c +++ b/MagickCore/module.c @@ -959,6 +959,14 @@ MagickExport MagickBooleanType InvokeDynamicImageFilter(const char *tag, if ((*images)->debug != MagickFalse) (void) LogMagickEvent(TraceEvent,GetMagickModule(),"%s", (*images)->filename); + rights=ReadPolicyRights; + if (IsRightsAuthorized(FilterPolicyDomain,rights,tag) == MagickFalse) + { + errno=EPERM; + (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, + "NotAuthorized","`%s'",tag); + return(MagickFalse); + } #if !defined(MAGICKCORE_BUILD_MODULES) { MagickBooleanType @@ -969,14 +977,6 @@ MagickExport MagickBooleanType InvokeDynamicImageFilter(const char *tag, return(status); } #endif - rights=ReadPolicyRights; - if (IsRightsAuthorized(FilterPolicyDomain,rights,tag) == MagickFalse) - { - errno=EPERM; - (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, - "NotAuthorized","`%s'",tag); - return(MagickFalse); - } TagToFilterModuleName(tag,name); status=GetMagickModulePath(name,MagickImageFilterModule,path,exception); if (status == MagickFalse) @@ -1234,6 +1234,9 @@ MagickPrivate MagickBooleanType OpenModule(const char *module, ModuleInfo *module_info; + PolicyRights + rights; + register const CoderInfo *p; @@ -1247,6 +1250,14 @@ MagickPrivate MagickBooleanType OpenModule(const char *module, module_info=(ModuleInfo *) GetModuleInfo(module,exception); if (module_info != (ModuleInfo *) NULL) return(MagickTrue); + rights=ReadPolicyRights; + if (IsRightsAuthorized(ModulePolicyDomain,rights,tag) == MagickFalse) + { + errno=EPERM; + (void) ThrowMagickException(exception,GetMagickModule(),PolicyError, + "NotAuthorized","`%s'",tag); + return(MagickFalse); + } (void) CopyMagickString(module_name,module,MagickPathExtent); p=GetCoderInfo(module,exception); if (p != (CoderInfo *) NULL) diff --git a/MagickCore/option.c b/MagickCore/option.c index c3c5c7fb9..78c90b42c 100644 --- a/MagickCore/option.c +++ b/MagickCore/option.c @@ -1834,6 +1834,7 @@ static const OptionInfo { "Coder", CoderPolicyDomain, UndefinedOptionFlag, MagickFalse }, { "Delegate", DelegatePolicyDomain, UndefinedOptionFlag, MagickFalse }, { "Filter", FilterPolicyDomain, UndefinedOptionFlag, MagickFalse }, + { "Module", ModulePolicyDomain, UndefinedOptionFlag, MagickFalse }, { "Path", PathPolicyDomain, UndefinedOptionFlag, MagickFalse }, { "Resource", ResourcePolicyDomain, UndefinedOptionFlag, MagickFalse }, { "System", SystemPolicyDomain, UndefinedOptionFlag, MagickFalse }, diff --git a/MagickCore/policy.c b/MagickCore/policy.c index 1c47c746f..b17ac4649 100644 --- a/MagickCore/policy.c +++ b/MagickCore/policy.c @@ -1254,6 +1254,7 @@ MagickExport MagickBooleanType SetMagickSecurityPolicyValue( case CoderPolicyDomain: case DelegatePolicyDomain: case FilterPolicyDomain: + case ModulePolicyDomain: case PathPolicyDomain: default: break; diff --git a/MagickCore/policy.h b/MagickCore/policy.h index c29af372b..363a0c3cb 100644 --- a/MagickCore/policy.h +++ b/MagickCore/policy.h @@ -34,7 +34,8 @@ typedef enum PathPolicyDomain, ResourcePolicyDomain, SystemPolicyDomain, - CachePolicyDomain + CachePolicyDomain, + ModulePolicyDomain } PolicyDomain; typedef enum diff --git a/config/policy.xml b/config/policy.xml index 0d854269d..49e600e1a 100644 --- a/config/policy.xml +++ b/config/policy.xml @@ -69,6 +69,7 @@ <!-- <policy domain="resource" name="throttle" value="0"/> --> <!-- <policy domain="resource" name="time" value="3600"/> --> <!-- <policy domain="coder" rights="none" pattern="MVG" /> --> + <!-- <policy domain="module" rights="none" pattern="{ps,pdf,xps}" /> --> <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> --> <!-- <policy domain="path" rights="none" pattern="@*" /> --> <!-- <policy domain="cache" name="memory-map" value="anonymous"/> --> |