Policy case sensitivity

[frederikbosch]

ImageMagick version

Version: ImageMagick 7.1.0-7 Q16-HDRI x86_64 2021-09-12 https://imagemagick.org

Operating system

Linux

Operating system, version and so on

alpine 3.13 self-compiled, php 7.4 using imagick extension v3.5.1

Description

ImagickException: "attempt to perform an operation not allowed by the security policy `png' @ error/static.c/RegisterStaticModule/247"

Steps to Reproduce

Code in PHP

$imagick = new \Imagick();
$imagick->setFormat('png');

fails with the following policy

    <policy domain="delegate" rights="none" pattern="*" />
    <policy domain="module" rights="none" pattern="*" />
    <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP,SVG,BMP,TIFF}" />
    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP,SVG,BMP,TIFF}" />

and succeeds with the following policy.

    <policy domain="delegate" rights="none" pattern="*" />
    <policy domain="module" rights="none" pattern="*" />
    <policy domain="module" rights="read | write" pattern="{GIF,gif,JPEG,jpeg,PNG,png,WEBP,webp,SVG,svg,BMP,bmp,TIFF,tiff}" />
    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP,SVG,BMP,TIFF}" />

While the Security Policy Page states:

Policy patterns are case sensitive. To get expected behavior, coders and modules must be upper-case (e.g. "EPS" not "eps").

[urban-warrior]

The ImageMagick security policy is behaving properly. As stated, the policy patterns are case sensitive. Internally all modules & coders are uppercase. In your example, you are setting the format in lowercase. Easy fix. Set the image format to PNG or use a case insensitive pattern in a policy: [Pp][Nn][Gg].