summaryrefslogtreecommitdiffstats
path: root/source/l/imagemagick/policy.xml.diff
blob: 04b3a105e1c9d46860c48558e62259542213ae67 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
--- ./config/policy.xml.orig	2017-07-15 12:33:46.000000000 -0500
+++ ./config/policy.xml	2017-07-17 20:14:07.785459021 -0500
@@ -55,6 +55,21 @@
     <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />
 -->
 <policymap>
+  <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/>
+  <!-- SECURITY:  disable potentially insecure coders: -->
+  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
+  <policy domain="coder" rights="none" pattern="HTTPS" />
+  <policy domain="coder" rights="none" pattern="MVG" />
+  <policy domain="coder" rights="none" pattern="MSL" />
+  <policy domain="coder" rights="none" pattern="TEXT" />
+  <policy domain="coder" rights="none" pattern="SHOW" />
+  <policy domain="coder" rights="none" pattern="WIN" />
+  <policy domain="coder" rights="none" pattern="PLT" />
+  <!-- SECURITY:  prevent indirect reads: -->
+  <policy domain="path" rights="none" pattern="@*" />
+  <!-- SECURITY:  prevent pipe to shell: -->
+  <policy domain="path" rights="none" pattern="|*" />
+  <!-- Some examples: -->
   <!-- <policy domain="system" name="shred" value="2"/> -->
   <!-- <policy domain="system" name="precision" value="6"/> -->
   <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->
@@ -75,5 +90,4 @@
   <!-- <policy domain="path" rights="none" pattern="@*" /> -->
   <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->
   <!-- <policy domain="cache" name="synchronize" value="True"/> -->
-  <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->
 </policymap>