ImageMagick is a powerful tool for processing image files, but with its power and complexity come potential security risks. To mitigate these risks, ImageMagick uses a security policy defined in its configuration file. This policy sets limits on memory usage and file sizes, defines which files can be opened and from where, and applies other security restrictions.
On the Zone platform, ImageMagick is installed with a security policy based on the “limited” configuration shipped with the software.
In some cases, it may be necessary to relax certain rules, and this can be done in the user context.
However, please note that:
-
not all settings can be overridden by the user, and the rules may change over time.
-
some settings can be modified by installing a minimal user-level configuration.
magick: attempt to perform an operation not allowed by the security policy `URL'
To bypass this specific restriction, it is sufficient for the virtual server user to create the file
~/.config/ImageMagick/policy.xml
with the following contents:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policymap [ <!ELEMENT policymap (policy)*> <!ATTLIST policymap xmlns CDATA #FIXED ''> <!ELEMENT policy EMPTY> <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED stealth NMTOKEN #IMPLIED value CDATA #IMPLIED> ]> <policymap> <policy domain="module" rights="read|write" pattern="URL"/> </policymap>
- Some rules cannot be relaxed if the system configuration has already been loaded, as it is read first by default. This can be overridden by changing the ImageMagick configuration loading order using the environment variable
MAGICK_CONFIGURE_PATH, so that the user configuration is loaded first:MAGICK_CONFIGURE_PATH="$HOME/.config/ImageMagick:/usr/share/ImageMagick-7"
The previously made policy change will take effect within 5 minutes after executing the following command:
touch ~/domeenid/*/phpini/global/php.ini