This is not a change made by Zone, but a change in the behavior of ImageMagick itself. Reading files from a URL has always been disabled by ImageMagick’s default security policy, but due to a software bug, this restriction was not enforced for all possible use cases. In ImageMagick version 7.1.2-9, this security issue was fixed through a silent code change, which caused problems for some users who relied on codecs to which the security policy had not been applied in earlier versions. Since modifying the global configuration would create an even greater security risk for everyone, the only solution is to carefully relax the security policy within the context of the user’s own virtual server.
ImageMagick is a powerful tool for processing image files, but with its power and complexity come potential security risks. To mitigate these risks, ImageMagick uses a security policy defined in its configuration file. This policy sets limits on memory usage and file sizes, defines which files can be opened and from where, and applies other security restrictions.
On the Zone platform, ImageMagick is installed with a security policy based on the “limited” configuration shipped with the software.
In some cases, it may be necessary to relax certain rules, and this can be done in the user context.
However, please note that:
-
not all settings can be overridden by the user, and the rules may change over time.
-
some settings can be modified by installing a minimal user-level configuration.
magick: attempt to perform an operation not allowed by the security policy `URL'
To bypass this specific restriction, it is sufficient for the virtual server user to create the file
~/.config/ImageMagick/policy.xml
with the following contents:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policymap [ <!ELEMENT policymap (policy)*> <!ATTLIST policymap xmlns CDATA #FIXED ''> <!ELEMENT policy EMPTY> <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED stealth NMTOKEN #IMPLIED value CDATA #IMPLIED> ]> <policymap> <policy domain="module" rights="read|write" pattern="URL"/> </policymap>
- Some rules cannot be relaxed if the system configuration has already been loaded, as it is read first by default. This can be overridden by changing the ImageMagick configuration loading order using the environment variable
MAGICK_CONFIGURE_PATH, so that the user configuration is loaded first:MAGICK_CONFIGURE_PATH="$HOME/.config/ImageMagick:/usr/share/ImageMagick-7"
The previously made policy change will take effect within 5 minutes after executing the following command:
touch ~/domeenid/*/phpini/global/php.ini