From 187a311e3f06591da83275bd858ae63f11c36f28 Mon Sep 17 00:00:00 2001
From: Kazuhiko Shiozaki <kazuhiko@nexedi.com>
Date: Wed, 4 May 2016 11:22:15 +0200
Subject: [PATCH] imagemagick: make the default policy safer.

---
 component/imagemagick/buildout.cfg      |  1 +
 component/imagemagick/safe_policy.patch | 31 +++++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 component/imagemagick/safe_policy.patch

diff --git a/component/imagemagick/buildout.cfg b/component/imagemagick/buildout.cfg
index d4a0f9e31..93951e8a3 100644
--- a/component/imagemagick/buildout.cfg
+++ b/component/imagemagick/buildout.cfg
@@ -60,6 +60,7 @@ configure-options =
 patch-options = -p1
 patches =
   ${:_profile_base_location_}/imagemagick-6.6.6-1-no-gsx-gsc-probe.patch#3f28ecd9f6722cf2c3238ce6ec3d7a68
+  ${:_profile_base_location_}/safe_policy.patch#6c3ed3be347d04f56f70a6266272d845
 environment =
   PATH=${freetype:location}/bin:${ghostscript:location}/bin:${inkscape:location}/bin:${libxml2:location}/bin:${patch:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:%(PATH)s
   PKG_CONFIG_PATH=${:pkg_config_depends}
diff --git a/component/imagemagick/safe_policy.patch b/component/imagemagick/safe_policy.patch
new file mode 100644
index 000000000..56e40ecd4
--- /dev/null
+++ b/component/imagemagick/safe_policy.patch
@@ -0,0 +1,31 @@
+--- ImageMagick-6.8.9-1/config/policy.xml.orig	2013-01-14 14:57:39.000000000 +0100
++++ ImageMagick-6.8.9-1/config/policy.xml	2016-05-04 11:20:03.111695907 +0200
+@@ -46,14 +46,19 @@
+ -->
+ <policymap>
+   <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
+-  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
+-  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
+-  <!-- <policy domain="resource" name="area" value="1GB"/> -->
+-  <!-- <policy domain="resource" name="disk" value="16EB"/> -->
+-  <!-- <policy domain="resource" name="file" value="768"/> -->
+-  <!-- <policy domain="resource" name="thread" value="4"/> -->
+-  <!-- <policy domain="resource" name="throttle" value="0"/> -->
+-  <!-- <policy domain="resource" name="time" value="3600"/> -->
+-  <!-- <policy domain="system" name="precision" value="6"/> -->
++  <policy domain="resource" name="memory" value="2GiB"/>
++  <policy domain="resource" name="map" value="4GiB"/>
++  <policy domain="resource" name="area" value="1GB"/>
++  <policy domain="resource" name="disk" value="16EB"/>
++  <policy domain="resource" name="file" value="768"/>
++  <policy domain="resource" name="thread" value="4"/>
++  <policy domain="resource" name="throttle" value="0"/>
++  <policy domain="resource" name="time" value="3600"/>
++  <policy domain="system" name="precision" value="6"/>
+   <policy domain="cache" name="shared-secret" value="passphrase"/>
++  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
++  <policy domain="coder" rights="none" pattern="HTTPS" />
++  <policy domain="coder" rights="none" pattern="MVG" />
++  <policy domain="coder" rights="none" pattern="MSL" />
++  <policy domain="path" rights="none" pattern="@*" />
+ </policymap>
-- 
2.30.9