setup a static imagemagick policy file

heroku · Oct 23, 2018 · 2ef80a2 · 2ef80a2
1 parent c122d2e
commit 2ef80a2
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 0 deletions.
diff --git a/cedar-14/bin/cedar-14.sh b/cedar-14/bin/cedar-14.sh
@@ -156,6 +156,21 @@ apt-cache search language-pack \
     | grep -v '\-base$' \
     | xargs apt-get install -y --force-yes --no-install-recommends
 
+cat > /etc/ImageMagick/policy.xml <<'IMAGEMAGICK_POLICY'
+<policymap>
+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+  <policy domain="coder" rights="none" pattern="URL" />
+  <policy domain="coder" rights="none" pattern="HTTPS" />
+  <policy domain="coder" rights="none" pattern="MVG" />
+  <policy domain="coder" rights="none" pattern="MSL" />
+  <policy domain="coder" rights="none" pattern="TEXT" />
+  <policy domain="coder" rights="none" pattern="SHOW" />
+  <policy domain="coder" rights="none" pattern="WIN" />
+  <policy domain="coder" rights="none" pattern="PLT" />
+  <policy domain="path" rights="none" pattern="@*" />
+</policymap>
+IMAGEMAGICK_POLICY
+
 cd /
 rm -rf /var/cache/apt/archives/*.deb
 rm -rf /root/*

diff --git a/heroku-16/bin/heroku-16.sh b/heroku-16/bin/heroku-16.sh
@@ -140,6 +140,22 @@ apt-get -y --purge autoremove
 apt-get purge -y openjdk-8-jre-headless
 test "$(file -b /etc/ssl/certs/java/cacerts)" = "Java KeyStore"
 
+cat > /etc/ImageMagick-6/policy.xml <<'IMAGEMAGICK_POLICY'
+<policymap>
+  <policy domain="cache" name="shared-secret" value="passphrase"/>
+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+  <policy domain="coder" rights="none" pattern="URL" />
+  <policy domain="coder" rights="none" pattern="HTTPS" />
+  <policy domain="coder" rights="none" pattern="MVG" />
+  <policy domain="coder" rights="none" pattern="MSL" />
+  <policy domain="coder" rights="none" pattern="TEXT" />
+  <policy domain="coder" rights="none" pattern="SHOW" />
+  <policy domain="coder" rights="none" pattern="WIN" />
+  <policy domain="coder" rights="none" pattern="PLT" />
+  <policy domain="path" rights="none" pattern="@*" />
+</policymap>
+IMAGEMAGICK_POLICY
+
 cd /
 rm -rf /root/*
 rm -rf /tmp/*

diff --git a/heroku-18/bin/heroku-18.sh b/heroku-18/bin/heroku-18.sh
@@ -173,6 +173,23 @@ apt-get install -y --no-install-recommends \
     xz-utils \
     zip \
 
+
+cat > /etc/ImageMagick-6/policy.xml <<'IMAGEMAGICK_POLICY'
+<policymap>
+  <policy domain="resource" name="memory" value="256MiB"/>
+  <policy domain="resource" name="map" value="512MiB"/>
+  <policy domain="resource" name="width" value="16KP"/>
+  <policy domain="resource" name="height" value="16KP"/>
+  <policy domain="resource" name="area" value="128MB"/>
+  <policy domain="resource" name="disk" value="1GiB"/>
+  <policy domain="delegate" rights="none" pattern="URL" />
+  <policy domain="delegate" rights="none" pattern="HTTPS" />
+  <policy domain="delegate" rights="none" pattern="HTTP" />
+  <policy domain="path" rights="none" pattern="@*"/>
+  <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
+</policymap>
+IMAGEMAGICK_POLICY
+
 # install the JDK for certificates, then remove it
 apt-get install -y --no-install-recommends ca-certificates-java openjdk-8-jre-headless
 apt-get remove -y ca-certificates-java