3

I'm trying to access images via https on Heroku with Imagemagick. How can I change the policies (in policy.xml) on Heroku?

Heroku made an "ImageMagick security update" in May, 2016: https://devcenter.heroku.com/changelog-items/891

I can see the policy list, after typing heroku run bash and convert -list policy:

Path: [built-in] Policy: Undefined rights: None

Path: /etc/ImageMagick/policy.xml [...] Policy: Coder rights: None pattern: HTTPS [...]

How can I change the policy?

update 1: this is the error in the log file:

Command failed: convert.im6: not authorized `//scontent-fra3-1.xx.fbcdn.net/v/t1.0-9/13962741_132344500547278_4974691444630710043_n.jpg?oh=c169b4ffce9e5ce330ee99214cc6b8d5&oe=5880F245'

fmw42
  • 46,825
  • 10
  • 62
  • 80
JohnnyTheTank
  • 668
  • 5
  • 14
  • See https://stackoverflow.com/questions/52861946/imagemagick-not-authorized-to-convert-pdf-to-an-image/52863413#52863413 – fmw42 Nov 08 '18 at 17:02

3 Answers3

4

I’ve found a relatively simple solution.

Create a .magick directory in your app’s source, and add your policy.xml there. Then, you’ll have to set the environment variable MAGICK_CONFIGURE_PATH to /app/.magick in order to load your file with higher precedence than the default one.

Eric Aya
  • 69,473
  • 35
  • 181
  • 253
Drarok
  • 3,612
  • 2
  • 31
  • 48
  • This is documented in Heroku's help docs too: https://help.heroku.com/RFDJQSG3/how-can-i-override-imagemagick-settings-in-a-policy-xml-file – stevenharman Aug 31 '22 at 18:32
1

We need to install the third party software ImageMagick on heroku. I used this https://github.com/ello/heroku-buildpack-imagemagick build pack for installing ImageMagick.

So, inside bin/compile, there is a policy file, which is restricting the images to read over Https, enable the attribute rights to read which allows to read over Https

Fork the repo and do your changes, commit and add that repository url to your heroku buildpacks

Theja Yerramareddy
  • 11
  • 1
  • 1
  • 1
    This is the solution that worked for me. `MAGICK_CONFIGURE_PATH` does not work with the default installation of ImageMagick on heroku. – agatheblues Jan 21 '21 at 10:46
  • @thejayerramareddy @agatheblues i tried this solution (see changes: https://github.com/mgiraldo/heroku-buildpack-imagemagick/blob/master/bin/compile#L63) and am still getting `attempt to perform an operation not allowed by the security policy 'HTTPS'`. `heroku run convert -list policy` displays Read rights for Coder in pattern HTTPS. any idea what might be wrong? – mga Oct 28 '21 at 19:33
0

Read the warnings at ImageTragick, then make a backup and delete the line that restricts you.

You can find the file to edit in the same directory as the other XML config files by doing the following - the file is called policy.xml:

convert -debug configure -list font 2>&1 | grep -E "Searching|Loading"
Mark Setchell
  • 191,897
  • 31
  • 273
  • 432
  • I'm sorry, I only know the ImageMagick side of things and don't use heroku myself. Hopefully, this will give someone who knows heroku enough of a clue as to what to do. – Mark Setchell Sep 10 '16 at 11:32
  • To the down-voter... you might have the courtesy to explain the down-vote so that I, and others, can learn what is so unacceptable about my attempt to assist. – Mark Setchell Sep 10 '16 at 13:10
  • 1
    You just repeated my problem, doesn't you? – JohnnyTheTank Sep 10 '16 at 14:03
  • No, I told you how to find the `policy.xml` file, which was useful information not in your original question before you just edited it, and I also told you *how* to change the file (by deleting the line) once you located it - which appeared to me to be what you were asking - given that your question was *"How can I change the policy?"*. At the very worst you could have ignored my answer if you felt it didn't add much, rather than kicking someone in the teeth who is trying to help out. – Mark Setchell Sep 10 '16 at 14:14
  • that's not true. this was my first version: http://stackoverflow.com/revisions/39425446/1 – JohnnyTheTank Sep 10 '16 at 15:30
  • What's not true? Your original question clearly did not contain the path of the `policy.xml` file, nor did it give any indication that you might have known that the solution would be to delete the line which prevented access. I thought either of those aspects might help you and rather than a polite *"thank you"*, you chose to down vote my answer. – Mark Setchell Sep 10 '16 at 15:56
  • I don't have time for this discussion here. Thanks for your try to help. It doesn't helped me, but for other user, your answer looked like "ah, someone helped him". Thats why I voted down, to signal, that this answer doesn't helped me a single bit. I want to focus on my problem and not to fight with you for your ego – JohnnyTheTank Sep 10 '16 at 16:03