diff --git a/tasks/php.yml b/tasks/php.yml index 6d93576efa1c70d278115c18f41fb6ff82b980fd..a2651fcac20c48c1f294c36eb7a24bc6aa269006 100644 --- a/tasks/php.yml +++ b/tasks/php.yml @@ -119,3 +119,19 @@ - include: oci.yml when: repository is defined and php_needs_oci8 and oci_available.stdout != '/usr/lib/php5/20090626/pdo_oci.so' + +- name: "PHP | Ensure ImageMagick config directory" + file: + dest=/etc/ImageMagick + state=directory + owner=root + group=root + mode=0755 + +- name: "PHP | ImageMagick Policy File" + template: + src=etc-imagemagick-policy.xml + dest=/etc/ImageMagick/policy.xml + owner=root + group=root + mode=0644 diff --git a/templates/etc-imagemagick-policy.xml b/templates/etc-imagemagick-policy.xml new file mode 100644 index 0000000000000000000000000000000000000000..19823c14c779758f2bc36e557b2f0eb6c3e10167 --- /dev/null +++ b/templates/etc-imagemagick-policy.xml @@ -0,0 +1,66 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE policymap [ +<!ELEMENT policymap (policy)+> +<!ELEMENT policy (#PCDATA)> +<!ATTLIST policy domain (delegate|coder|filter|path|resource) #IMPLIED> +<!ATTLIST policy name CDATA #IMPLIED> +<!ATTLIST policy rights CDATA #IMPLIED> +<!ATTLIST policy pattern CDATA #IMPLIED> +<!ATTLIST policy value CDATA #IMPLIED> +]> +<!-- + Configure ImageMagick policies. + + Domains include system, delegate, coder, filter, path, or resource. + + Rights include none, read, write, and execute. Use | to combine them, + for example: "read | write" to permit read from, or write to, a path. + + Use a glob expression as a pattern. + + Suppose we do not want users to process MPEG video images: + + <policy domain="delegate" rights="none" pattern="mpeg:decode" /> + + Here we do not want users reading images from HTTP: + + <policy domain="coder" rights="none" pattern="HTTP" /> + + Lets prevent users from executing any image filters: + + <policy domain="filter" rights="none" pattern="*" /> + + The /repository file system is restricted to read only. We use a glob + expression to match all paths that start with /repository: + + <policy domain="path" rights="read" pattern="/repository/*" /> + + Any large image is cached to disk rather than memory: + + <policy domain="resource" name="area" value="1GB"/> + + Define arguments for the memory, map, area, and disk resources with + SI prefixes (.e.g 100MB). In addition, resource policies are maximums for + each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB + exceeds policy maximum so memory limit is 1GB). +--> +<policymap> + <!-- <policy domain="system" name="precision" value="6"/> --> + <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> --> + <!-- <policy domain="resource" name="memory" value="2GiB"/> --> + <!-- <policy domain="resource" name="map" value="4GiB"/> --> + <!-- <policy domain="resource" name="area" value="1GB"/> --> + <!-- <policy domain="resource" name="disk" value="16EB"/> --> + <!-- <policy domain="resource" name="file" value="768"/> --> + <!-- <policy domain="resource" name="thread" value="4"/> --> + <!-- <policy domain="resource" name="throttle" value="0"/> --> + <!-- <policy domain="resource" name="time" value="3600"/> --> + <policy domain="coder" rights="none" pattern="EPHEMERAL" /> + <policy domain="coder" rights="none" pattern="HTTPS" /> + <policy domain="coder" rights="none" pattern="MVG" /> + <policy domain="coder" rights="none" pattern="MSL" /> + <policy domain="coder" rights="none" pattern="TEXT" /> + <policy domain="coder" rights="none" pattern="SHOW" /> + <policy domain="coder" rights="none" pattern="WIN" /> + <policy domain="coder" rights="none" pattern="PLT" /> +</policymap>