search

aergus / dockerfiles

Creative Commons Zero v1.0 Universal
19 stars 38 forks source link

imagemagick's convert cannot convert PDF -> PNG (missing security policy) #12

Closed anjos closed 3 years ago

anjos commented 3 years ago

In one of my latex builds where we use this image, we make use of convert from imagemagick (which is installed within the image), to build a high-resolution PNG version of standalone TikZ figure. Unfortunately, there is a missing security policy within the image that makes this conversion harder to achieve.

To test for this, you can start bash within the image, then do something like this:

# convert /usr/share/doc/biber/biber.pdf bla.png
convert-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/421.
convert-im6.q16: no images defined `bla.png' @ error/convert.c/ConvertImageCommand/3229.

To fix this, you'd have to add the security rule within the image as stated at https://stackoverflow.com/questions/52998331/imagemagick-security-policy-pdf-blocking-conversion:

# #edit /etc/ImageMagick-6/policy.xml
# #comment out or delete lines like <policy domain="coder" rights="none" pattern="PDF" />
# #so it reads <!--<policy domain="coder" rights="none" pattern="PDF" />-->
# to delete, a line like this worked for me:
# sed -i '/PDF/d' /etc/ImageMagick-6/policy.xml
# #however, you may want to consider further rule removal like EPS and PS as well...

From this point, PDF -> PNG conversion should work properly from the start.

aergus commented 3 years ago

Thanks for the report, but I think this falls just below my threshold of adaptation.

At least Gentoo and Ubuntu maintainers seem to find it still risky to lift these restrictions. I can't really assess the risks myself, so I'm leaning towards being conservative and not changing the configuration, in particular because I can imagine that some users of this image are feeding untrusted input to convert.

As a solution to your specific problem, I guess you could change the settings in your CI configuration / build script if you know what you are doing, or use GhostScript directly for the conversion.

anjos commented 3 years ago

Thanks for following this up. If you just start bash on this image, you can change the security settings yourself.

aergus commented 3 years ago

OK, closing this issue as "won't fix". Users who want the relaxed security policy should change the configuration manually.