Skip to content

Instantly share code, notes, and snippets.

@yanowitz

yanowitz/README.txt

Last active March 21, 2019 09:06
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save yanowitz/8329d8b27d8294ca7027f504326fd629 to your computer and use it in GitHub Desktop.
Save yanowitz/8329d8b27d8294ca7027f504326fd629 to your computer and use it in GitHub Desktop.
Download ZIP
fixing https://imagetragick.com/ (CVE-2016–3714) on heroku
Raw
README.txt
1. Create a directory/file in your deploy repo's root dir (e.g., .ImageMagic/policy.xml), commit it.
2. Set the following config var:
heroku config:set MAGICK_CONFIGURE_PATH=/app/.ImageMagick -a YOUR-APP-NAME
3. Deploy
4. heroku run bash -a YOUR-APP-NAME
5. run
convert -list policy
Path: [built-in]
Policy: Undefined
rights: None
Path: /app/.ImageMagick/policy.xml
Policy: Coder
rights: None
pattern: EPHEMERAL
Policy: Coder
rights: None
pattern: HTTPS
Policy: Coder
rights: None
pattern: MVG
Policy: Coder
rights: None
pattern: MSL
Raw
policy.xml
<policymap>
<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
</policymap>
@grosser
Copy link

grosser commented May 4, 2016

seems to be the default on heroku already:

Path: /etc/ImageMagick/policy.xml
  Policy: Coder
    rights: None
    pattern: EPHEMERAL
  Policy: Coder
    rights: None
    pattern: URL
  Policy: Coder
    rights: None
    pattern: HTTPS
  Policy: Coder
    rights: None
    pattern: MVG
  Policy: Coder
    rights: None
    pattern: MSL

cat /etc/ImageMagick/policy.xml
<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

@adamniedzielski
Copy link

In case it helps anyone: I had to run heroku restart to get the above output from `cat /etc/ImageMagick/policy.xml``.

@jimbrowne
Copy link

Note that additional coders need to be disabled. I suggest looking at these links for the latest recommendations:

@iamakimmer
Copy link

What if you do need https for the convert function, can I add rights to it?

@jamesfzhang
Copy link

Seems like Heroku no longer lets you alter the policies now that they have default ones? I need access to https for converts.

@Thejaswiniy
Copy link

@jamesfzhang I too faced the same issue, check out this once https://stackoverflow.com/questions/39425446/imagemagick-change-policy-xml-on-heroku/46273776#46273776

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment