Nextcloud error ImagickException in the logs [and how to fix it]
View article
View summary
On the new server, the old problems are coming back. Yesterday I activated the
Preview Generator in Nextcloud and today I found the following ImagickException message in my logs.
ImagickException: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408I know this one and I fixed it before. It comes from trying to generate a preview image from PDF file. I remember there's a XML configuration file to be edited.
Some thoughts before editing the XML.
PDF (portable document format) is based on PS (postscript) and postscript is a programming language for describing the page layout and ghostscript or Acrobat Reader is the corresponding language interpreter.
So keep in mind, that everytime you're viewing a PDF you're running a programm. If this PDF comes from an unknown source it's best practice not to open it without taking precautions.Before writing files (PDF,PS,EPS,XPS) to the storage or running the preview generation it should be at least checked for known viruses. If in doubt, disable the preview generation of postscript based formats. The postscript formats were disabled for good reasons - see
CERT/CC Vulnerability Note VU#332928 for this.
Now to the solution of reenabling ghostscript processing.
Edit the
/etc/ImageMagick/policy.xml and comment out the needed file types.
OH SHIT! First I need to figure out, how to post less-then and greater-than special characters in hubzilla.
policy domain="coder" rights="read" pattern="PDF"
I only reenabled reading for PDF files, by changing the policy for pattern=PDF from rights=none to rights=read. So I allowed reading the PDF and converting to other image formats. For security reasons, writing of PDF is less of a risk than reading, so I could have changed to rights=read|write possibly without additional risk. I'm always a better safe than sorry guy.
--
An unknown source can never be trusted.
As less as possible. As much as needed.
Running a server or service comes with work to do and that's what I love about it.
Like Us