Last active
March 21, 2019 09:06
-
-
Save yanowitz/8329d8b27d8294ca7027f504326fd629 to your computer and use it in GitHub Desktop.
fixing https://imagetragick.com/ (CVE-2016–3714) on heroku
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Create a directory/file in your deploy repo's root dir (e.g., .ImageMagic/policy.xml), commit it. | |
| 2. Set the following config var: | |
| heroku config:set MAGICK_CONFIGURE_PATH=/app/.ImageMagick -a YOUR-APP-NAME | |
| 3. Deploy | |
| 4. heroku run bash -a YOUR-APP-NAME | |
| 5. run | |
| convert -list policy | |
| Path: [built-in] | |
| Policy: Undefined | |
| rights: None | |
| Path: /app/.ImageMagick/policy.xml | |
| Policy: Coder | |
| rights: None | |
| pattern: EPHEMERAL | |
| Policy: Coder | |
| rights: None | |
| pattern: HTTPS | |
| Policy: Coder | |
| rights: None | |
| pattern: MVG | |
| Policy: Coder | |
| rights: None | |
| pattern: MSL |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <policymap> | |
| <policy domain="coder" rights="none" pattern="EPHEMERAL" /> | |
| <policy domain="coder" rights="none" pattern="HTTPS" /> | |
| <policy domain="coder" rights="none" pattern="MVG" /> | |
| <policy domain="coder" rights="none" pattern="MSL" /> | |
| </policymap> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@jamesfzhang I too faced the same issue, check out this once https://stackoverflow.com/questions/39425446/imagemagick-change-policy-xml-on-heroku/46273776#46273776