[discourse-web/gnome] FEATURE: Replace the default ImageMagick policy.xml (https://github.com/discourse/discourse_docker/c

From: Andrea Veri <averi src gnome org>
To: commits-list gnome org
Cc:
Subject: [discourse-web/gnome] FEATURE: Replace the default ImageMagick policy.xml (https://github.com/discourse/discourse_docker/c
Date: Tue, 1 Dec 2020 12:34:29 +0000 (UTC)
commit 3fd7280312fc1b8f577823513d70b27b04b0e9ca
Author: iposadat <ismael posada trobo cern ch>
Date:   Tue Dec 1 10:26:12 2020 +0100

    FEATURE: Replace the default ImageMagick policy.xml 
(https://github.com/discourse/discourse_docker/commit/7b3d1c513f833a0758ba1f647436514dd365bfd0)

 config/policy.xml | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
---
diff --git a/config/policy.xml b/config/policy.xml
new file mode 100644
index 0000000..d5f13c7
--- /dev/null
+++ b/config/policy.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+  <!ELEMENT policymap (policy)+>
+  <!ATTLIST policymap xmlns CDATA #FIXED ''>
+  <!ELEMENT policy EMPTY>
+  <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
+    name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
+    stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
+]>
+<!--
+  Configure ImageMagick policies.
+  Domains include system, delegate, coder, filter, path, or resource.
+  Rights include none, read, write, execute and all.  Use | to combine them,
+  for example: "read | write" to permit read from, or write to, a path.
+  Use a glob expression as a pattern.
+  Suppose we do not want users to process MPEG video images:
+    <policy domain="delegate" rights="none" pattern="mpeg:decode" />
+  Here we do not want users reading images from HTTP:
+    <policy domain="coder" rights="none" pattern="HTTP" />
+  The /repository file system is restricted to read only.  We use a glob
+  expression to match all paths that start with /repository:
+    <policy domain="path" rights="read" pattern="/repository/*" />
+  Lets prevent users from executing any image filters:
+    <policy domain="filter" rights="none" pattern="*" />
+  Any large image is cached to disk rather than memory:
+    <policy domain="resource" name="area" value="1GP"/>
+  Define arguments for the memory, map, area, width, height and disk resources
+  with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
+  for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
+  exceeds policy maximum so memory limit is 1GB).
+  Rules are processed in order.  Here we want to restrict ImageMagick to only
+  read or write a small subset of proven web-safe image types:
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
+-->
+<policymap>
+  <!-- <policy domain="system" name="shred" value="2"/> -->
+  <!-- <policy domain="system" name="precision" value="6"/> -->
+  <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
+  <policy domain="resource" name="memory" value="1GiB"/>
+  <policy domain="resource" name="map" value="2GiB"/>
+  <policy domain="resource" name="width" value="64KP"/>
+  <policy domain="resource" name="height" value="64KP"/>
+  <!-- <policy domain="resource" name="list-length" value="128"/> -->
+  <policy domain="resource" name="area" value="4GP"/>
+  <policy domain="resource" name="disk" value="8GiB"/>
+  <!-- <policy domain="resource" name="file" value="768"/> -->
+  <!-- <policy domain="resource" name="thread" value="4"/> -->
+  <!-- <policy domain="resource" name="throttle" value="0"/> -->
+  <!-- <policy domain="resource" name="time" value="3600"/> -->
+  <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
+  <policy domain="module" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />
+  <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
+  <!-- <policy domain="path" rights="none" pattern="@*" /> -->
+  <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+  <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
+</policymap>
\ No newline at end of file
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]