1

I am trying to load a pdf into imagick, but I am getting the following result:

(1/1) ImagickException
not authorized `/var/sample.pdf' @ error/constitute.c/ReadImage/412

I am using the following code:

$imagick = new Imagick( '/var/sample.pdf' );

Imagick has always worked for me, but after updating it, this exception happens with any file, anywhere. The file's permissions are 777. I am using Ubuntu Server 16.04 LTE.

Does anybody know how to solve this?

Karl Johan Vallner
  • 3,980
  • 4
  • 35
  • 46
  • Does this answer your question? [convert:not authorized \`aaaa\` @ error/constitute.c/ReadImage/453](https://stackoverflow.com/questions/42928765/convertnot-authorized-aaaa-error-constitute-c-readimage-453) – kenorb Jul 14 '20 at 16:15

3 Answers3

7
sudo -s (or su -)
apt install ghostscript -y
ln -s /usr/local/bin/gs /usr/bin/gs
cp /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xml.bak
sed -i "s/rights\=\"none\" pattern\=\"PS\"/rights\=\"read\|write\" pattern\=\"PS\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights\=\"none\" pattern\=\"EPI\"/rights\=\"read\|write\" pattern\=\"EPI\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights\=\"none\" pattern\=\"PDF\"/rights\=\"read\|write\" pattern\=\"PDF\"/" /etc/ImageMagick-6/policy.xml
sed -i "s/rights\=\"none\" pattern\=\"XPS\"/rights\=\"read\|write\" pattern\=\"XPS\"/" /etc/ImageMagick-6/policy.xml
service php7.2-fpm restart && service nginx restart

I figured it out tonight. Since I had upgraded my Ubuntu, imagick installed a new policy.xml file, which did not allow me to open that .pdf file.

You have to set the correct permissions in policy.xml, so you can correctly open the files.

policy.xml location (Unix)

/etc/ImageMagick-6/policy.xml

new policy.xml (the domain="coder" parts are what I configured.)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policymap [
<!ELEMENT policymap (policy)+>
<!ELEMENT policy (#PCDATA)>
<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED>
<!ATTLIST policy name CDATA #IMPLIED>
<!ATTLIST policy rights CDATA #IMPLIED>
<!ATTLIST policy pattern CDATA #IMPLIED>
<!ATTLIST policy value CDATA #IMPLIED>
]>
<!--
  Configure ImageMagick policies.

  Domains include system, delegate, coder, filter, path, or resource.

  Rights include none, read, write, and execute.  Use | to combine them,
  for example: "read | write" to permit read from, or write to, a path.

  Use a glob expression as a pattern.

  Suppose we do not want users to process MPEG video images:

    <policy domain="delegate" rights="none" pattern="mpeg:decode" />

  Here we do not want users reading images from HTTP:

    <policy domain="coder" rights="none" pattern="HTTP" />

  Lets prevent users from executing any image filters:

    <policy domain="filter" rights="none" pattern="*" />

  The /repository file system is restricted to read only.  We use a glob
  expression to match all paths that start with /repository:

    <policy domain="path" rights="read" pattern="/repository/*" />

  Any large image is cached to disk rather than memory:

    <policy domain="resource" name="area" value="1GB"/>

  Define arguments for the memory, map, area, and disk resources with
  SI prefixes (.e.g 100MB).  In addition, resource policies are maximums for
  each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB
  exceeds policy maximum so memory limit is 1GB).
-->
<policymap>
  <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->
  <!-- <policy domain="resource" name="memory" value="2GiB"/> -->
  <!-- <policy domain="resource" name="map" value="4GiB"/> -->
  <!-- <policy domain="resource" name="area" value="1GB"/> -->
  <!-- <policy domain="resource" name="disk" value="16EB"/> -->
  <!-- <policy domain="resource" name="file" value="768"/> -->
  <!-- <policy domain="resource" name="thread" value="4"/> -->
  <!-- <policy domain="resource" name="throttle" value="0"/> -->
  <!-- <policy domain="resource" name="time" value="3600"/> -->
  <!-- <policy domain="system" name="precision" value="6"/> -->
  <policy domain="cache" name="shared-secret" value="passphrase"/>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
  <policy domain="coder" rights="none" pattern="TEXT" />
  <policy domain="coder" rights="none" pattern="SHOW" />
  <policy domain="coder" rights="none" pattern="WIN" />
  <policy domain="coder" rights="none" pattern="PLT" />
  <policy domain="path" rights="none" pattern="@*" />
</policymap>
Alailson Ribeiro
  • 3
  • 1
Karl Johan Vallner
  • 3,980
  • 4
  • 35
  • 46
  • 2
    Yes. That is correct. That was a new entry in the policy.xml file due to recently uncovered security issues with Ghostscript, which I believe now have been fixed in the latest Ghostscript. – fmw42 Oct 16 '18 at 20:13
1

Use the following code in PHP to set the temporary path:

$i = new Imagick();
$i->setRegistry('temporary-path', '/efs');
Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Lakin Mohapatra
  • 1,097
  • 11
  • 22
0

Use the below command to delete the policy file to fix it.

rm /etc/<ImageMagick_PATH>/policy.xml

for me it was ImageMagick6 and the command was :

sudo rm /etc/ImageMagick-6/policy.xml
Sujeet Kumar
  • 1,280
  • 1
  • 17
  • 25