imagick icon indicating copy to clipboard operation
imagick copied to clipboard
verified publisher icon Imagick

Per user policy.xml support

Open Whissi opened this issue 7 years ago • 1 comments

Since CVE-2018-16509 it is recommended for distributions to ship a default policy.xml with the following content to limit attack vector by default:

    <policy domain="coder" rights="none" pattern="PS" />
    <policy domain="coder" rights="none" pattern="PS2" />
    <policy domain="coder" rights="none" pattern="PS3" />
    <policy domain="coder" rights="none" pattern="EPS" />
    <policy domain="coder" rights="none" pattern="PDF" />
    <policy domain="coder" rights="none" pattern="XPS" />

The problem is that this policy will also disable read access. In other words: With such a policy in place, you can't even generate thumbnails for PDF anymore in applications like Nextcloud which are using imagick:

ImagickException: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408

While it is a good idea to restrict access to coders in general (and the CVE mentioned above showed how easy it is to exploit a system if you can trigger GhostScript) you want to install a specific policy.xml which will allow read access for example if you want to process PDF files on purpose. By default, ImageMagick will try to read policy.xml in the following order which will allow you to adjust restriction per user:

  1. $PREFIX/etc/ImageMagick-7
  2. $PREFIX/share/ImageMagick-7
  3. $XDG_CACHE_HOME/ImageMagick
  4. $HOME/.config/ImageMagick

E.g. you start with a default policy.xml which will disable all coders in /etc/ImageMagick-7/policy.xml but you can enable PDF coder for example via $HOME/.config/ImageMagick/policy.xml for your limited user.

However, when you use PHP-FPM this won't work because the imagick extension will be initialized in the FPM master process which is running as root on most systems by default. That said only

  1. /etc/ImageMagick-7/policy.xml
  2. /usr/share/ImageMagick-7/policy.xml
  3. /root/.config/ImageMagick/policy.xml

will be read. But you obviously don't want to enable coders for root user...

It would be nice if you could initialize imagick in the actual worker process instead which is using a separate user. This would allow you to enable specific coders only for specific PHP-FPM pools.

Whissi avatar Dec 13 '18 19:12 Whissi

That's a pretty good idea.

Do you know if it's possible, or of another extension that does something similar?

I guess it might be possible to do, by skipping calling MagickWandGenesis() to initialise the ImageMagick library in the PHP-FPM master process, and to only initialise it from one of the child processes, but am unsure if that is actually likely to work or not.

btw have you seen https://github.com/Danack/ImagickContained as a way of completely isolating ImageMagick processes?

Danack avatar Dec 14 '18 11:12 Danack