Skip to content

Instantly share code, notes, and snippets.

@AlekseyKorzun
Created May 5, 2016 12:49
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save AlekseyKorzun/e5da089896785716421649b4f1bd8a90 to your computer and use it in GitHub Desktop.
Policy update to secure ImageMagik
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policymap [
<!ELEMENT policymap (policy)+>
<!ELEMENT policy (#PCDATA)>
<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED>
<!ATTLIST policy name CDATA #IMPLIED>
<!ATTLIST policy rights CDATA #IMPLIED>
<!ATTLIST policy pattern CDATA #IMPLIED>
<!ATTLIST policy value CDATA #IMPLIED>
]>
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="path" rights="none" pattern="@*" />
</policymap>
@AlekseyKorzun
Copy link
Author

AlekseyKorzun commented May 5, 2016

Secure Nginx + PHP-FPM based instance(s):

sudo su -
IM_POLICY_XML=`convert -list policy |grep "policy\.xml" | sed  "s/Path: //"`
export IM_POLICY_XML
curl "https://gist.githubusercontent.com/AlekseyKorzun/e5da089896785716421649b4f1bd8a90/raw/27ae49bcd9012280659148186cc1defe6ca0732c/policy.xml" > $IM_POLICY_XML
convert -list policy |grep -q 'EPHEMERAL' && echo 'Secured!'
service php-fpm restart
service php5-fpm restart
service nginx restart

Secure Apache based instance(s):

sudo su -
IM_POLICY_XML=`convert -list policy |grep "policy\.xml" | sed  "s/Path: //"`
export IM_POLICY_XML
curl "https://gist.githubusercontent.com/AlekseyKorzun/e5da089896785716421649b4f1bd8a90/raw/27ae49bcd9012280659148186cc1defe6ca0732c/policy.xml" > $IM_POLICY_XML
convert -list policy |grep -q 'EPHEMERAL' && echo 'Secured!'
service httpd restart
service apache2 restart

Secure CPanel based instance(s):

sudo su -
IM_POLICY_XML=`convert -list policy |grep "policy\.xml" | sed  "s/Path: //"`
export IM_POLICY_XML
curl "https://gist.githubusercontent.com/AlekseyKorzun/e5da089896785716421649b4f1bd8a90/raw/27ae49bcd9012280659148186cc1defe6ca0732c/policy.xml" > $IM_POLICY_XML
convert -list policy |grep -q 'EPHEMERAL' && echo 'Secured!'
/scripts/restartsrv_httpd
/scripts/restartsrv_cpanel_php_fpm

Secure custom instance(s):

sudo su -
IM_POLICY_XML=`convert -list policy |grep "policy\.xml" | sed  "s/Path: //"`
export IM_POLICY_XML
curl "https://gist.githubusercontent.com/AlekseyKorzun/e5da089896785716421649b4f1bd8a90/raw/27ae49bcd9012280659148186cc1defe6ca0732c/policy.xml" > $IM_POLICY_XML
convert -list policy |grep -q 'EPHEMERAL' && echo 'Secured!'
sudo service httpd restart
gmrestart

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment