1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
|
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" />
<meta http-equiv="x-ua-compatible" content="ie=edge" />
<title>Security Policy @ ImageMagick</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8"/>
<meta name="application-name" content="ImageMagick"/>
<meta name="description" content="ImageMagick® is a software suite to create, edit, compose, or convert bitmap images. It can read and write images in a variety of formats (over 200) including PNG, JPEG, JPEG-2000, GIF, WebP, Postscript, PDF, and SVG. Use ImageMagick to resize, flip, mirror, rotate, distort, shear and transform images, adjust image colors, apply various special effects, or draw text, lines, polygons, ellipses and Bézier curves."/>
<meta name="application-url" content="https://www.imagemagick.org"/>
<meta name="generator" content="PHP"/>
<meta name="keywords" content="security, policy, ImageMagick, PerlMagick, image processing, image, photo, software, Magick++, OpenMP, convert"/>
<meta name="rating" content="GENERAL"/>
<meta name="robots" content="INDEX, FOLLOW"/>
<meta name="generator" content="ImageMagick Studio LLC"/>
<meta name="author" content="ImageMagick Studio LLC"/>
<meta name="revisit-after" content="2 DAYS"/>
<meta name="resource-type" content="document"/>
<meta name="copyright" content="Copyright (c) 1999-2017 ImageMagick Studio LLC"/>
<meta name="distribution" content="Global"/>
<meta name="magick-serial" content="P131-S030410-R485315270133-P82224-A6668-G1245-1"/>
<meta name="google-site-verification" content="_bMOCDpkx9ZAzBwb2kF3PRHbfUUdFj2uO8Jd1AXArz4" />
<link rel="canonical" href="https://www.imagemagick.org/script/security-policy.html"/>
<link rel="icon" href="../images/wand.png"/>
<link rel="shortcut icon" href="../images/wand.ico"/>
<link rel="stylesheet" type="text/css" href="http://fonts.googleapis.com/css?family=Roboto:900,400,400italic,700,700italic,300,300italic|Open+Sans:300italic,400italic,700italic,300,400,600,700" />
<link rel="stylesheet" href="css/magick.css"/>
</head>
<body>
<div class="main">
<div class="magick-masthead">
<div class="container">
<script async="async" src="http://localhost/pagead/js/adsbygoogle.js"></script> <ins class="adsbygoogle"
style="display:block"
data-ad-client="ca-pub-3129977114552745"
data-ad-slot="6345125851"
data-ad-format="auto"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
<nav class="magick-nav">
<a class="magick-nav-item " href="../index.html">Home</a>
<a class="magick-nav-item " href="download.html">Download</a>
<a class="magick-nav-item " href="command-line-tools.html">Tools</a>
<a class="magick-nav-item " href="command-line-processing.html">Command-line</a>
<a class="magick-nav-item " href="resources.html">Resources</a>
<a class="magick-nav-item " href="develop.html">Develop</a>
<a class="magick-nav-item " href="https://www.imagemagick.org/script/search.php">Search</a>
<a class="magick-nav-item float-right" href="https://www.imagemagick.org/discourse-server/">Community</a>
</nav>
</div>
</div>
<div class="container">
<div class="magick-header">
<p class="text-center"><a href="security-policy.html#policy">Security Policy </a> • <a href="security-policy.html#zero-configuration">Zero Configuration Security Policy</a> • <a href="security-policy.html#other">Other Security Considerations</a></p>
<p class="lead magick-description">ImageMagick includes a security policy configuration file, <a href="https://www.imagemagick.org/source/policy.xml">policy.xml</a>. It is useful for limiting the resources consumed by ImageMagick and can help prevent a denial-of-service or other exploits.</p>
<p>As an example, suppose you download an image from the internet and unbeknownst to you its been crafted to generate a 20000 by 20000 pixel image. ImageMagick attempts to allocate enough resources (memory, disk) and your system will likely deny the resource request and exit. However, its also possible that your computer might be temporarily sluggish or unavailable or ImageMagick may abort. To prevent such a scenario, you can set limits in the <code>policy.xml</code> configuration file. You may ask why ImageMagick does not already include reasonable limits? Simply because what is reasonable in your environment, might not be reasonable to someone else. For example, you may have ImageMagick sandboxed where security is not a concern, whereas another user may use ImageMagick to process images on their publically accessible website. Or ImageMagick is running on a host with 1TB of memory whereas another ImageMagick instance is running on an iPhone. By policy, permitting giga-pixel image processing on the large memory host makes sense, not so much for the resource constrained iPhone. If you utilize ImageMagick from a public website, you may want to increase security by preventing usage of the MVG or HTTPS coders. Only you can decide what are reasonable limits taking in consideration your environment. We provide this policy with reasonable limits and encourage you to modify it to suit your local environment:</p>
<pre class="pre-scrollable">
<policymap>
<policy domain="resource" name="temporary-path" value="/tmp"/>
<policy domain="resource" name="memory" value="256MiB"/>
<policy domain="resource" name="map" value="512MiB"/>
<policy domain="resource" name="width" value="8KP"/>
<policy domain="resource" name="height" value="8KP"/>
<policy domain="resource" name="area" value="16KP"/>
<policy domain="resource" name="disk" value="1GiB"/>
<policy domain="resource" name="file" value="768"/>
<policy domain="resource" name="thread" value="2"/>
<policy domain="resource" name="throttle" value="0"/>
<policy domain="resource" name="time" value="120"/>
<policy domain="system" name="precision" value="6"/>
<policy domain="cache" name="shared-secret" stealth="true" value="replace with your secret phrase"/>
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="delegate" rights="none" pattern="HTTPS" /> <!-- prevent 'curl' program from reading HTTPS URL's -->
<policy domain="path" rights="none" pattern="@*"/> <!-- indirect reads not permitted -->
</policymap>
</pre>
<p>Since we process multiple simultaneous sessions, we do not want any one session consuming all the available memory.With this policy, large images are cached to disk. If the image is too large and exceeds the pixel cache disk limit, the program exits. In addition, we place a time limit to prevent any run-away processing tasks. If any one image has a width or height that exceeds 8192 pixels, an exception is thrown and processing stops. As of ImageMagick 7.0.1-8 and 6.9.4-6, you can prevent the use of any delegate or all delegates (set the pattern to "*"). Note, prior to these releases, use a domain of <code>coder</code> to prevent delegate usage (e.g. <code>domain="coder" rights="none" pattern="HTTPS"</code>). The policy also prevents indirect reads. If you want to, for example, read text from a file (e.g. <code>caption:@myCaption.txt</code>), you'll need to disable the <code>path</code> policy.</p>
<p>Here is what you can expect when you restrict the HTTPS coder, for example:</p>
<pre>
$ convert https://www.imagemagick.org/images/wizard.png wizard.jpg
convert: not authorized `HTTPS'
convert: unable to open file: No such file or directory
convert: no images defined `wizard.jpg'
</pre>
<p>As of ImageMagick version 7.0.4-7, you can conveniently deny access to all delegates and coders except for a small subset of proven web-safe image types. For example,</p>
<pre>
<policy domain="delegate" rights="none" pattern="*" />
<policy domain="coder" rights="none" pattern="*" />
<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
</pre>
<p>As of ImageMagick 7.0.5-5, you can allocate the pixel cache and some internal buffers with anonymous memory mapping rather than from heap. As a consequence, the pixels are initialized to zero. You can also securely delete any temporary files for increased security. The value is the number of times to shred (replace its content with random data) before deleting a temporary file. For example,</p>
<pre>
<policy domain="system" name="memory-map" value="anonymous"/>
<policy domain="cache" name="memory-map" value="anonymous"/>
<policy domain="system" name="shred" value="1"/>
</pre>
<p>You can verify your policy changes are in effect with this command:</p>
<pre class="pre-scrollable">
-> identify -list policy
Path: ImageMagick/policy.xml
Policy: Resource
name: time
value: 120
Policy: Resource
name: throttle
value: 0
Policy: Resource
name: thread
value: 2
Policy: Resource
name: file
value: 768
Policy: Resource
name: disk
value: 1GiB
Policy: Resource
name: map
value: 512MiB
Policy: Resource
name: memory
value: 256MiB
Policy: Resource
name: area
value: 16KP
Policy: Resource
name: height
value: 8KP
Policy: Resource
name: width
value: 8KP
Policy: Resource
name: temporary-path
value: /tmp
Policy: System
name: precision
value: 6
Policy: Path
rights: None
pattern: @*
Path: [built-in]
Policy: Undefined
rights: None
</pre>
<p>Notice the <code>Cache</code> policy is not listed due to the <code>stealth</code> property.</p>
<p>For additional details about resource limits and the policy configuration file, read <a href="resources.html">Resources</a> and <a href="architecture.html">Architecture</a>.</p>
<h2 class="magick-header"><a id="zero-configuration"></a>Zero Configuration Security Policy</h2>
<p>A zero configuration build of ImageMagick does not permit external configuration files. To define your security policy, you must instead edit the <code>MagickCore/policy-private.h</code> source module, add your policy statements, and then build the ImageMagick distribution. Here is an example zero configuration security policy:</p>
<pre>
static const char
*ZeroConfigurationPolicy = \
"<policymap> \
<policy domain=\"coder\" rights=\"none\" pattern=\"MVG\"/> \
</policymap>";
</pre>
<h2 class="magick-header"><a id="other"></a>Other Security Considerations</h2>
<p>If you spot a security flaw in ImageMagick, <a href="https://www.imagemagick.org/script/contact.php">contact us</a> and select Security Issue as the issue. Alternatively, post your concern to <a href="https://github.com/ImageMagick/ImageMagick/issues">GitHub</a>. Be sure to include how to reproduce the security flaw and a link to any images needed to reproduce the flaw.</p>
<p>In addition to the security policy, you can make ImageMagick safer by ...</p>
<ul>
<li>keeping ImageMagick up-to-date. The latest releases have fixes for any security flaws we discovered in the past.</li>
<li>sanitizing any filenames or command line options you pass to ImageMagick.</li>
<li>running ImageMagick in a sanitized software container such as Docker.</li>
<li>running ImageMagick as the least-privileged user (e.g. 'nobody').</li>
<li>explicitly setting the image file type. For example, use the filename <code>png:image.png</code> rather than <code>image.png</code>. Without an explicit image type in the filename, ImageMagick guesses the image type.</li>
</ul>
</div>
<footer class="magick-footer">
<p><a href="support.html">Donate</a> •
<a href="sitemap.html">Sitemap</a> •
<a href="links.html">Related</a> •
<a href="security-policy.html">Security</a> •
<a href="architecture.html">Architecture</a>
</p>
<p><a href="security-policy.html#">Back to top</a> •
<a href="http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x89AB63D48277377A">Public Key</a> •
<a href="https://www.imagemagick.org/script/contact.php">Contact Us</a></p>
<p><small>© 1999-2017 ImageMagick Studio LLC</small></p>
</footer>
</div><!-- /.container -->
<script src="https://localhost/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
<script src="../js/magick.html"></script>
</div>
</body>
</html>
<!-- Magick Cache 10th June 2017 13:15 -->
|
