support new configure script option: --with-security-policy={open,lim…

…ited,secure,web-safe}

Makefile.in

@@ -303,7 +303,7 @@ CONFIG_HEADER = $(top_builddir)/config/config.h
 CONFIG_CLEAN_FILES = common.shi config/configure.xml \
 	config/delegates.xml config/ImageMagick.rdf \
 	config/MagickCore.dox config/MagickWand.dox \
-	config/Magick++.dox config/type-apple.xml \
+	config/Magick++.dox config/policy.xml config/type-apple.xml \
 	config/type-dejavu.xml config/type-ghostscript.xml \
 	config/type-urw-base35.xml config/type-windows.xml \
 	config/type.xml ImageMagick.spec Magick++/bin/Magick++-config \
@@ -3177,6 +3177,7 @@ MAGICK_MICRO_VERSION = @MAGICK_MICRO_VERSION@
 MAGICK_MINOR_VERSION = @MAGICK_MINOR_VERSION@
 MAGICK_PATCHLEVEL_VERSION = @MAGICK_PATCHLEVEL_VERSION@
 MAGICK_PCFLAGS = @MAGICK_PCFLAGS@
+MAGICK_SECURITY_POLICY = @MAGICK_SECURITY_POLICY@
 MAGICK_TARGET_CPU = @MAGICK_TARGET_CPU@
 MAGICK_TARGET_OS = @MAGICK_TARGET_OS@
 MAGICK_TARGET_VENDOR = @MAGICK_TARGET_VENDOR@
@@ -3544,22 +3545,26 @@ CONFIG_EXTRA_DIST = \
 	config/ImageMagick.rc \
 	config/ImageMagick.rdf.in \
 	config/install-sh \
+  config/limited-policy.xml \
 	config/lndir.sh \
 	config/locale.md \
 	config/locale.xml \
 	config/log.xml \
 	config/magic.xml \
 	config/mime.xml \
+  config/open-policy.xml \
 	config/policy.xml \
 	config/quantization-table.xml \
+  config/secure-policy.xml \
 	config/sRGB.icm \
 	config/thresholds.xml \
 	config/type-apple.xml.in \
 	config/type-dejavu.xml.in \
 	config/type-ghostscript.xml.in \
 	config/type-urw-base35.xml.in \
 	config/type-windows.xml.in \
-	config/type.xml.in
+	config/type.xml.in \
+  config/websafe-policy.xml
 
 
 # Where coder modules get installed
@@ -5750,6 +5755,8 @@ config/MagickWand.dox: $(top_builddir)/config.status $(top_srcdir)/config/Magick
 	cd $(top_builddir) && $(SHELL) ./config.status $@
 config/Magick++.dox: $(top_builddir)/config.status $(top_srcdir)/config/Magick++.dox.in
 	cd $(top_builddir) && $(SHELL) ./config.status $@
+config/policy.xml: $(top_builddir)/config.status 
+	cd $(top_builddir) && $(SHELL) ./config.status $@
 config/type-apple.xml: $(top_builddir)/config.status $(top_srcdir)/config/type-apple.xml.in
 	cd $(top_builddir) && $(SHELL) ./config.status $@
 config/type-dejavu.xml: $(top_builddir)/config.status $(top_srcdir)/config/type-dejavu.xml.in

config/Makefile.am

@@ -59,19 +59,23 @@ CONFIG_EXTRA_DIST = \
 	config/ImageMagick.rc \
 	config/ImageMagick.rdf.in \
 	config/install-sh \
+  config/limited-policy.xml \
 	config/lndir.sh \
 	config/locale.md \
 	config/locale.xml \
 	config/log.xml \
 	config/magic.xml \
 	config/mime.xml \
+  config/open-policy.xml \
 	config/policy.xml \
 	config/quantization-table.xml \
+  config/secure-policy.xml \
 	config/sRGB.icm \
 	config/thresholds.xml \
 	config/type-apple.xml.in \
 	config/type-dejavu.xml.in \
 	config/type-ghostscript.xml.in \
 	config/type-urw-base35.xml.in \
 	config/type-windows.xml.in \
-	config/type.xml.in
+	config/type.xml.in \
+  config/websafe-policy.xml

config/config.h.in

@@ -327,6 +327,9 @@
 /* Define to 1 if you have a working `mmap' system call. */
 #undef HAVE_MMAP
 
+/* Define if you have the mtmalloc memory allocation library */
+#undef HAVE_MTMALLOC
+
 /* Define to 1 if you have the `munmap' function. */
 #undef HAVE_MUNMAP
 
@@ -809,6 +812,9 @@
 /* Define to prepend to default font search path. */
 #undef MAGICK_FONT_PATH
 
+/* Security Policy */
+#undef MAGICK_SECURITY_POLICY
+
 /* Target Host CPU */
 #undef MAGICK_TARGET_CPU
 

config/configure.xml.in

@@ -40,6 +40,7 @@
   <configure name="PREFIX" value="@PREFIX_DIR@"/>
   <configure name="QuantumDepth" value="@QUANTUM_DEPTH@"/>
   <configure name="RELEASE_DATE" value="@PACKAGE_RELEASE_DATE@"/>
+  <configure name="SECURITY_POLICY" value="@MAGICK_SECURITY_POLICY@"/>
   <configure name="SHAREARCH_PATH" value="@SHAREARCH_PATH@"/>
   <configure name="SHARE_PATH" value="@SHARE_PATH@"/>
   <configure name="TARGET_CPU" value="@MAGICK_TARGET_CPU@"/>

config/limited-policy.xml

@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+  <!ELEMENT policymap (policy)*>
+  <!ATTLIST policymap xmlns CDATA #FIXED ''>
+  <!ELEMENT policy EMPTY>
+  <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
+    name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
+    stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
+]>
+<!--
+  Limited ImageMagick security policy:
+
+  The primary objective of the limited security policy is to find a
+  middle ground between convenience and security. This policy involves the
+  deactivation of potentially hazardous functionalities, like specific coders
+  such as SVG or HTTP. Furthermore, it establishes several constraints on
+  the utilization of resources like memory, storage, and processing duration,
+  all of which are adjustable. This policy proves advantageous in situations
+  where there's a need to mitigate the potential threat of handling possibly
+  malicious or demanding images, all while retaining essential capabilities
+  for prevalent image formats.
+
+  Configure ImageMagick policies:
+
+  Domains include system, delegate, coder, filter, path, or resource.
+
+  Rights include none, read, write, execute and all.  Use | to combine them,
+  for example: "read | write" to permit read from, or write to, a path.
+
+  Use a glob expression as a pattern.
+
+  Suppose we do not want users to process MPEG video images:
+
+    <policy domain="delegate" rights="none" pattern="mpeg:decode" />
+
+  Here we do not want users reading images from HTTP:
+
+    <policy domain="coder" rights="none" pattern="HTTP" />
+
+  The /repository file system is restricted to read only.  We use a glob
+  expression to match all paths that start with /repository:
+
+    <policy domain="path" rights="read" pattern="/repository/*" />
+
+  Lets prevent users from executing any image filters:
+
+    <policy domain="filter" rights="none" pattern="*" />
+
+  Any large image is cached to disk rather than memory:
+
+    <policy domain="resource" name="area" value="1GP"/>
+
+  Use the default system font unless overridden by the application:
+
+    <policy domain="system" name="font" value="/usr/share/fonts/favorite.ttf"/>
+
+  Define arguments for the memory, map, area, width, height and disk resources
+  with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
+  for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
+  exceeds policy maximum so memory limit is 1GB).
+
+  Rules are processed in order.  Here we want to restrict ImageMagick to only
+  read or write a small subset of proven web-safe image types:
+
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
+-->
+<policymap>
+  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
+  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
+  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
+  <!-- <policy domain="resource" name="width" value="10KP"/> -->
+  <!-- <policy domain="resource" name="height" value="10KP"/> -->
+  <!-- <policy domain="resource" name="list-length" value="128"/> -->
+  <!-- <policy domain="resource" name="area" value="100MP"/> -->
+  <!-- <policy domain="resource" name="disk" value="16EiB"/> -->
+  <!-- <policy domain="resource" name="file" value="768"/> -->
+  <!-- <policy domain="resource" name="thread" value="4"/> -->
+  <!-- <policy domain="resource" name="throttle" value="0"/> -->
+  <!-- <policy domain="resource" name="time" value="3600"/> -->
+  <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
+  <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
+  <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
+  <!-- <policy domain="path" rights="none" pattern="@*" /> -->
+  <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+  <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
+  <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="true"/> -->
+  <!-- <policy domain="system" name="shred" value="1"/> -->
+  <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
+  <policy domain="Undefined" rights="none"/>
+</policymap>

config/open-policy.xml

@@ -0,0 +1,95 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policymap [
+  <!ELEMENT policymap (policy)*>
+  <!ATTLIST policymap xmlns CDATA #FIXED ''>
+  <!ELEMENT policy EMPTY>
+  <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED
+    name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED
+    stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
+]>
+<!--
+  Open ImageMagick security policy:
+
+  The default policy for ImageMagick installations is the open security
+  policy. This policy is designed for usage in secure settings like those
+  protected by firewalls or within Docker containers. Within this framework,
+  ImageMagick enjoys broad access to resources and functionalities. This policy
+  provides convenient and adaptable options for image manipulation. However,
+  it's important to note that it might present security vulnerabilities in
+  less regulated conditions. Thus, organizations should thoroughly assess
+  the appropriateness of the open policy according to their particular use
+  case and security prerequisites.
+
+  Configure ImageMagick policies:
+
+  Domains include system, delegate, coder, filter, path, or resource.
+
+  Rights include none, read, write, execute and all.  Use | to combine them,
+  for example: "read | write" to permit read from, or write to, a path.
+
+  Use a glob expression as a pattern.
+
+  Suppose we do not want users to process MPEG video images:
+
+    <policy domain="delegate" rights="none" pattern="mpeg:decode" />
+
+  Here we do not want users reading images from HTTP:
+
+    <policy domain="coder" rights="none" pattern="HTTP" />
+
+  The /repository file system is restricted to read only.  We use a glob
+  expression to match all paths that start with /repository:
+
+    <policy domain="path" rights="read" pattern="/repository/*" />
+
+  Lets prevent users from executing any image filters:
+
+    <policy domain="filter" rights="none" pattern="*" />
+
+  Any large image is cached to disk rather than memory:
+
+    <policy domain="resource" name="area" value="1GP"/>
+
+  Use the default system font unless overridden by the application:
+
+    <policy domain="system" name="font" value="/usr/share/fonts/favorite.ttf"/>
+
+  Define arguments for the memory, map, area, width, height and disk resources
+  with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums
+  for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
+  exceeds policy maximum so memory limit is 1GB).
+
+  Rules are processed in order.  Here we want to restrict ImageMagick to only
+  read or write a small subset of proven web-safe image types:
+
+    <policy domain="delegate" rights="none" pattern="*" />
+    <policy domain="filter" rights="none" pattern="*" />
+    <policy domain="coder" rights="none" pattern="*" />
+    <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
+-->
+<policymap>
+  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
+  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
+  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
+  <!-- <policy domain="resource" name="width" value="10KP"/> -->
+  <!-- <policy domain="resource" name="height" value="10KP"/> -->
+  <!-- <policy domain="resource" name="list-length" value="128"/> -->
+  <!-- <policy domain="resource" name="area" value="100MP"/> -->
+  <!-- <policy domain="resource" name="disk" value="16EiB"/> -->
+  <!-- <policy domain="resource" name="file" value="768"/> -->
+  <!-- <policy domain="resource" name="thread" value="4"/> -->
+  <!-- <policy domain="resource" name="throttle" value="0"/> -->
+  <!-- <policy domain="resource" name="time" value="3600"/> -->
+  <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->
+  <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->
+  <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->
+  <!-- <policy domain="path" rights="none" pattern="@*" /> -->
+  <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="True"/> -->
+  <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
+  <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="true"/> -->
+  <!-- <policy domain="system" name="shred" value="1"/> -->
+  <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
+  <policy domain="Undefined" rights="none"/>
+</policymap>

config/policy.xml

@@ -8,7 +8,19 @@
     stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>
 ]>
 <!--
-  Configure ImageMagick policies.
+  Open ImageMagick security policy:
+
+  The default policy for ImageMagick installations is the open security
+  policy. This policy is designed for usage in secure settings like those
+  protected by firewalls or within Docker containers. Within this framework,
+  ImageMagick enjoys broad access to resources and functionalities. This policy
+  provides convenient and adaptable options for image manipulation. However,
+  it's important to note that it might present security vulnerabilities in
+  less regulated conditions. Thus, organizations should thoroughly assess
+  the appropriateness of the open policy according to their particular use
+  case and security prerequisites.
+
+  Configure ImageMagick policies:
 
   Domains include system, delegate, coder, filter, path, or resource.
 
@@ -75,8 +87,8 @@
   <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
   <!-- <policy domain="cache" name="synchronize" value="True"/> -->
   <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
-  <!-- <policy domain="cache" name="synchronize" value="True"/> -->
   <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->
+  <!-- <policy domain="cache" name="synchronize" value="true"/> -->
   <!-- <policy domain="system" name="shred" value="1"/> -->
   <!-- <policy domain="system" name="font" value="/path/to/unicode-font.ttf"/> -->
   <policy domain="Undefined" rights="none"/>