From 187a311e3f06591da83275bd858ae63f11c36f28 Mon Sep 17 00:00:00 2001 From: Kazuhiko Shiozaki <kazuhiko@nexedi.com> Date: Wed, 4 May 2016 11:22:15 +0200 Subject: [PATCH] imagemagick: make the default policy safer. --- component/imagemagick/buildout.cfg | 1 + component/imagemagick/safe_policy.patch | 31 +++++++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 component/imagemagick/safe_policy.patch diff --git a/component/imagemagick/buildout.cfg b/component/imagemagick/buildout.cfg index d4a0f9e31..93951e8a3 100644 --- a/component/imagemagick/buildout.cfg +++ b/component/imagemagick/buildout.cfg @@ -60,6 +60,7 @@ configure-options = patch-options = -p1 patches = ${:_profile_base_location_}/imagemagick-6.6.6-1-no-gsx-gsc-probe.patch#3f28ecd9f6722cf2c3238ce6ec3d7a68 + ${:_profile_base_location_}/safe_policy.patch#6c3ed3be347d04f56f70a6266272d845 environment = PATH=${freetype:location}/bin:${ghostscript:location}/bin:${inkscape:location}/bin:${libxml2:location}/bin:${patch:location}/bin:${pkgconfig:location}/bin:${xz-utils:location}/bin:%(PATH)s PKG_CONFIG_PATH=${:pkg_config_depends} diff --git a/component/imagemagick/safe_policy.patch b/component/imagemagick/safe_policy.patch new file mode 100644 index 000000000..56e40ecd4 --- /dev/null +++ b/component/imagemagick/safe_policy.patch @@ -0,0 +1,31 @@ +--- ImageMagick-6.8.9-1/config/policy.xml.orig 2013-01-14 14:57:39.000000000 +0100 ++++ ImageMagick-6.8.9-1/config/policy.xml 2016-05-04 11:20:03.111695907 +0200 +@@ -46,14 +46,19 @@ + --> + <policymap> + <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> --> +- <!-- <policy domain="resource" name="memory" value="2GiB"/> --> +- <!-- <policy domain="resource" name="map" value="4GiB"/> --> +- <!-- <policy domain="resource" name="area" value="1GB"/> --> +- <!-- <policy domain="resource" name="disk" value="16EB"/> --> +- <!-- <policy domain="resource" name="file" value="768"/> --> +- <!-- <policy domain="resource" name="thread" value="4"/> --> +- <!-- <policy domain="resource" name="throttle" value="0"/> --> +- <!-- <policy domain="resource" name="time" value="3600"/> --> +- <!-- <policy domain="system" name="precision" value="6"/> --> ++ <policy domain="resource" name="memory" value="2GiB"/> ++ <policy domain="resource" name="map" value="4GiB"/> ++ <policy domain="resource" name="area" value="1GB"/> ++ <policy domain="resource" name="disk" value="16EB"/> ++ <policy domain="resource" name="file" value="768"/> ++ <policy domain="resource" name="thread" value="4"/> ++ <policy domain="resource" name="throttle" value="0"/> ++ <policy domain="resource" name="time" value="3600"/> ++ <policy domain="system" name="precision" value="6"/> + <policy domain="cache" name="shared-secret" value="passphrase"/> ++ <policy domain="coder" rights="none" pattern="EPHEMERAL" /> ++ <policy domain="coder" rights="none" pattern="HTTPS" /> ++ <policy domain="coder" rights="none" pattern="MVG" /> ++ <policy domain="coder" rights="none" pattern="MSL" /> ++ <policy domain="path" rights="none" pattern="@*" /> + </policymap> -- 2.30.9