ImageMagick policy
https://github.com/linuxserver/docker-calibre-web/issues/75
This commit is contained in:
parent
c042b1934b
commit
d029007615
@ -243,6 +243,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
|
|||||||
|
|
||||||
## Versions
|
## Versions
|
||||||
|
|
||||||
|
* **06.05.20:** - Add libxslt1.1 and update ImageMagick policy
|
||||||
* **19.01.20:** - Adding LDAP libs.
|
* **19.01.20:** - Adding LDAP libs.
|
||||||
* **13.10.19:** - Migrate to Python3.
|
* **13.10.19:** - Migrate to Python3.
|
||||||
* **01.08.19:** - Add libxcomposite1.
|
* **01.08.19:** - Add libxcomposite1.
|
||||||
|
@ -70,6 +70,7 @@ app_setup_block: |
|
|||||||
|
|
||||||
# changelog
|
# changelog
|
||||||
changelogs:
|
changelogs:
|
||||||
|
- { date: "06.05.20:", desc: "Add libxslt1.1 and update ImageMagick policy" }
|
||||||
- { date: "19.01.20:", desc: "Adding LDAP libs." }
|
- { date: "19.01.20:", desc: "Adding LDAP libs." }
|
||||||
- { date: "13.10.19:", desc: "Migrate to Python3." }
|
- { date: "13.10.19:", desc: "Migrate to Python3." }
|
||||||
- { date: "01.08.19:", desc: "Add libxcomposite1." }
|
- { date: "01.08.19:", desc: "Add libxcomposite1." }
|
||||||
|
80
root/defaults/policy.xml
Normal file
80
root/defaults/policy.xml
Normal file
@ -0,0 +1,80 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE policymap [
|
||||||
|
<!ELEMENT policymap (policy)+>
|
||||||
|
<!ELEMENT policy (#PCDATA)>
|
||||||
|
<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED>
|
||||||
|
<!ATTLIST policy name CDATA #IMPLIED>
|
||||||
|
<!ATTLIST policy rights CDATA #IMPLIED>
|
||||||
|
<!ATTLIST policy pattern CDATA #IMPLIED>
|
||||||
|
<!ATTLIST policy value CDATA #IMPLIED>
|
||||||
|
]>
|
||||||
|
<!--
|
||||||
|
Configure ImageMagick policies.
|
||||||
|
|
||||||
|
Domains include system, delegate, coder, filter, path, or resource.
|
||||||
|
|
||||||
|
Rights include none, read, write, and execute. Use | to combine them,
|
||||||
|
for example: "read | write" to permit read from, or write to, a path.
|
||||||
|
|
||||||
|
Use a glob expression as a pattern.
|
||||||
|
|
||||||
|
Suppose we do not want users to process MPEG video images:
|
||||||
|
|
||||||
|
<policy domain="delegate" rights="none" pattern="mpeg:decode" />
|
||||||
|
|
||||||
|
Here we do not want users reading images from HTTP:
|
||||||
|
|
||||||
|
<policy domain="coder" rights="none" pattern="HTTP" />
|
||||||
|
|
||||||
|
Lets prevent users from executing any image filters:
|
||||||
|
|
||||||
|
<policy domain="filter" rights="none" pattern="*" />
|
||||||
|
|
||||||
|
The /repository file system is restricted to read only. We use a glob
|
||||||
|
expression to match all paths that start with /repository:
|
||||||
|
|
||||||
|
<policy domain="path" rights="read" pattern="/repository/*" />
|
||||||
|
|
||||||
|
Let's prevent possible exploits by removing the right to use indirect reads.
|
||||||
|
|
||||||
|
<policy domain="path" rights="none" pattern="@*" />
|
||||||
|
|
||||||
|
Any large image is cached to disk rather than memory:
|
||||||
|
|
||||||
|
<policy domain="resource" name="area" value="1GB"/>
|
||||||
|
|
||||||
|
Define arguments for the memory, map, area, width, height, and disk resources
|
||||||
|
with SI prefixes (.e.g 100MB). In addition, resource policies are maximums
|
||||||
|
for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
|
||||||
|
exceeds policy maximum so memory limit is 1GB).
|
||||||
|
-->
|
||||||
|
<policymap>
|
||||||
|
<!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
|
||||||
|
<policy domain="resource" name="memory" value="256MiB"/>
|
||||||
|
<policy domain="resource" name="map" value="512MiB"/>
|
||||||
|
<policy domain="resource" name="width" value="16KP"/>
|
||||||
|
<policy domain="resource" name="height" value="16KP"/>
|
||||||
|
<policy domain="resource" name="area" value="128MB"/>
|
||||||
|
<policy domain="resource" name="disk" value="1GiB"/>
|
||||||
|
<!-- <policy domain="resource" name="file" value="768"/> -->
|
||||||
|
<!-- <policy domain="resource" name="thread" value="4"/> -->
|
||||||
|
<!-- <policy domain="resource" name="throttle" value="0"/> -->
|
||||||
|
<!-- <policy domain="resource" name="time" value="3600"/> -->
|
||||||
|
<!-- <policy domain="system" name="precision" value="6"/> -->
|
||||||
|
<!-- not needed due to the need to use explicitly by mvg: -->
|
||||||
|
<!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->
|
||||||
|
<!-- use curl -->
|
||||||
|
<policy domain="delegate" rights="none" pattern="URL" />
|
||||||
|
<policy domain="delegate" rights="none" pattern="HTTPS" />
|
||||||
|
<policy domain="delegate" rights="none" pattern="HTTP" />
|
||||||
|
<!-- in order to avoid to get image with password text -->
|
||||||
|
<policy domain="path" rights="none" pattern="@*"/>
|
||||||
|
<policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
|
||||||
|
<!-- disable ghostscript format types -->
|
||||||
|
<policy domain="coder" rights="none" pattern="PS" />
|
||||||
|
<policy domain="coder" rights="none" pattern="PS2" />
|
||||||
|
<policy domain="coder" rights="none" pattern="PS3" />
|
||||||
|
<policy domain="coder" rights="none" pattern="EPS" />
|
||||||
|
<policy domain="coder" rights="read" pattern="PDF" />
|
||||||
|
<policy domain="coder" rights="none" pattern="XPS" />
|
||||||
|
</policymap>
|
@ -1,5 +1,11 @@
|
|||||||
#!/usr/bin/with-contenv bash
|
#!/usr/bin/with-contenv bash
|
||||||
|
|
||||||
|
# create symlinks for imagemagick policy.xml
|
||||||
|
[[ -f /etc/ImageMagick-6/policy.xml ]] && \
|
||||||
|
rm /etc/ImageMagick-6/policy.xml
|
||||||
|
[[ ! -L /etc/ImageMagick-6/policy.xml ]] && \
|
||||||
|
ln -s /defaults/policy.xml /etc/ImageMagick-6/policy.xml
|
||||||
|
|
||||||
# create symlinks for database and log
|
# create symlinks for database and log
|
||||||
[[ ! -f /config/app.db ]] && \
|
[[ ! -f /config/app.db ]] && \
|
||||||
cp /defaults/app.db /config/app.db
|
cp /defaults/app.db /config/app.db
|
||||||
|
Loading…
Reference in New Issue
Block a user