~cytrogen/masto-fe

ref: 86ba8d3e14955841fed45b49114e06b7a3473ba4 masto-fe/config/imagemagick/policy.xml -rw-r--r-- 1.0 KiB
86ba8d3e — Claire Merge pull request #2368 from ClearlyClaire/glitch-soc/merge-upstream 2 years ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

<policymap>
  <!-- Set some basic system resource limits -->
  <policy domain="resource" name="time" value="60" />

  <policy domain="module" rights="none" pattern="URL" />

  <policy domain="filter" rights="none" pattern="*" />

  <!--
    Ideally, we would restrict ImageMagick to only accessing its own
    disk-backed pixel cache as well as Mastodon-created Tempfiles.

    However, those paths depend on the operating system and environment
    variables, so they can only be known at runtime.

    Furthermore, those paths are not necessarily shared across Mastodon
    processes, so even creating a policy.xml at runtime is impractical.

    For the time being, only disable indirect reads.
  -->
  <policy domain="path" rights="none" pattern="@*" />

  <!-- Disallow any coder by default, and only enable ones required by Mastodon -->
  <policy domain="coder" rights="none" pattern="*" />
  <policy domain="coder" rights="read | write" pattern="{JPEG,PNG,GIF,WEBP,HEIC,AVIF}" />
  <policy domain="coder" rights="write" pattern="{HISTOGRAM,RGB,INFO}" />
</policymap>