Last active
March 21, 2019 09:06
-
-
Save yanowitz/8329d8b27d8294ca7027f504326fd629 to your computer and use it in GitHub Desktop.
fixing https://imagetragick.com/ (CVE-2016–3714) on heroku
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1. Create a directory/file in your deploy repo's root dir (e.g., .ImageMagic/policy.xml), commit it. | |
| 2. Set the following config var: | |
| heroku config:set MAGICK_CONFIGURE_PATH=/app/.ImageMagick -a YOUR-APP-NAME | |
| 3. Deploy | |
| 4. heroku run bash -a YOUR-APP-NAME | |
| 5. run | |
| convert -list policy | |
| Path: [built-in] | |
| Policy: Undefined | |
| rights: None | |
| Path: /app/.ImageMagick/policy.xml | |
| Policy: Coder | |
| rights: None | |
| pattern: EPHEMERAL | |
| Policy: Coder | |
| rights: None | |
| pattern: HTTPS | |
| Policy: Coder | |
| rights: None | |
| pattern: MVG | |
| Policy: Coder | |
| rights: None | |
| pattern: MSL |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <policymap> | |
| <policy domain="coder" rights="none" pattern="EPHEMERAL" /> | |
| <policy domain="coder" rights="none" pattern="HTTPS" /> | |
| <policy domain="coder" rights="none" pattern="MVG" /> | |
| <policy domain="coder" rights="none" pattern="MSL" /> | |
| </policymap> |
What if you do need https for the convert function, can I add rights to it?
Seems like Heroku no longer lets you alter the policies now that they have default ones? I need access to https for converts.
@jamesfzhang I too faced the same issue, check out this once https://stackoverflow.com/questions/39425446/imagemagick-change-policy-xml-on-heroku/46273776#46273776
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note that additional coders need to be disabled. I suggest looking at these links for the latest recommendations: