diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/application.rb | 1 | ||||
| -rw-r--r-- | config/imagemagick/policy.xml | 27 | ||||
| -rw-r--r-- | config/initializers/paperclip.rb | 7 |
3 files changed, 35 insertions, 0 deletions
diff --git a/config/application.rb b/config/application.rb index f72cc8e11..4a440c6f2 100644 --- a/config/application.rb +++ b/config/application.rb @@ -28,6 +28,7 @@ require_relative '../lib/paperclip/url_generator_extensions' require_relative '../lib/paperclip/attachment_extensions' require_relative '../lib/paperclip/lazy_thumbnail' require_relative '../lib/paperclip/gif_transcoder' +require_relative '../lib/paperclip/media_type_spoof_detector_extensions' require_relative '../lib/paperclip/transcoder' require_relative '../lib/paperclip/type_corrector' require_relative '../lib/paperclip/response_with_limit_adapter' diff --git a/config/imagemagick/policy.xml b/config/imagemagick/policy.xml new file mode 100644 index 000000000..1052476b3 --- /dev/null +++ b/config/imagemagick/policy.xml @@ -0,0 +1,27 @@ +<policymap> + <!-- Set some basic system resource limits --> + <policy domain="resource" name="time" value="60" /> + + <policy domain="module" rights="none" pattern="URL" /> + + <policy domain="filter" rights="none" pattern="*" /> + + <!-- + Ideally, we would restrict ImageMagick to only accessing its own + disk-backed pixel cache as well as Mastodon-created Tempfiles. + + However, those paths depend on the operating system and environment + variables, so they can only be known at runtime. + + Furthermore, those paths are not necessarily shared across Mastodon + processes, so even creating a policy.xml at runtime is impractical. + + For the time being, only disable indirect reads. + --> + <policy domain="path" rights="none" pattern="@*" /> + + <!-- Disallow any coder by default, and only enable ones required by Mastodon --> + <policy domain="coder" rights="none" pattern="*" /> + <policy domain="coder" rights="read | write" pattern="{PNG,JPEG,GIF,HEIC,WEBP}" /> + <policy domain="coder" rights="write" pattern="{HISTOGRAM,RGB,INFO}" /> +</policymap> diff --git a/config/initializers/paperclip.rb b/config/initializers/paperclip.rb index bd37f6709..ca600346a 100644 --- a/config/initializers/paperclip.rb +++ b/config/initializers/paperclip.rb @@ -161,3 +161,10 @@ unless defined?(Seahorse) end end end + +# Set our ImageMagick security policy, but allow admins to override it +ENV['MAGICK_CONFIGURE_PATH'] = begin + imagemagick_config_paths = ENV.fetch('MAGICK_CONFIGURE_PATH', '').split(File::PATH_SEPARATOR) + imagemagick_config_paths << Rails.root.join('config', 'imagemagick').expand_path.to_s + imagemagick_config_paths.join(File::PATH_SEPARATOR) +end |