Imagemagick Security Policy 'Pdf' Blocking Conversion

ImageMagick security policy 'PDF' blocking conversion

The ImageMagick change was kept after Ghostscript was fixed because applications (especially web applications) often feed arbitrary user-supplied files to ImageMagick, don't always enforce format restrictions properly, and, since Postscript (which PDF uses) is a turing-complete programming language running in a sandbox, there's always the possibility of another hole in the sandbox.

It's much better to leave things configured so ImageMagick refuses to process files that require running a program and, instead, just invoke Ghostscript directly when you intentionally want to permit Postscript rendering.

That would be accomplished by a Ghostscript command like this:

gs -dSAFER -r600 -sDEVICE=pngalpha -o foo.png myfile.pdf

Yes, this is a variation on the GhostScript command ImageMagic calls. (see ImageMagick's delegates.xml. -o is shorthand for -dBATCH -dNOPAUSE -sOutputFile=)

What's important is that ImageMagick stays locked down, you don't needlessly invoke an intermediate program, and you get more control over the rendering parameters. (eg. -r600 is the DPI to render at and changing -sDEVICE=pngalpha allows you to render directly to your desired format)

ImageMagick ghostscript 'delegate' security policy blocking conversion

<policy domain="delegate" rights="none" pattern="gs" />

needs to be commented out. This is now noted on the imagemagick page of the arch wiki. That page currently cites these bug reports: FS#59778, FS#62171

For some reason, this didn't immediately work for me. Somehow I got it to work today by moving policy.xml to a backup (deleting), running the convert command, and moving back the original with the line above commented out.

ImageMagick not authorized to convert PDF to an image

emcconville is correct. More specifically edit the Imagemagick policy.xml file to uncomment this line:

  <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->

And change it from rights="none" to rights="read|write"

  <policy domain="module" rights="read|write" pattern="{PS,PDF,XPS}" />

This was a recent addition to the policy.xml file, I believe, due to a security flaw found in the Ghostscript delegate. I think that flaw has now been fixed in the current version of Ghostscript, which is 9.25.

NOTE: On some systems the policy line will have domain="coder" rather than domain="module"

How can I convert pdf to png now that imagemagik no longer works on my shared hosting server

I decided that getting policy.xml changed to allow pdf was not a good solution because it might just be overwritten at the next release and put me right back where I am. Research uncovered that ImageMagick uses Ghostscript to do the pdf conversions so why put up with an unreliable middleman. More research found some command line batch instructions to do the conversion. However, the resolution was terrible. Only when I got up to close to the resolution of 300 did I get good results but the file was huge. Ghostscript has a command that allows high internal resolution and then a downscale factor to bring the file to a smaller size. Why this is better than just directly converting to the file size I want is a mystery but this is the recommended solution and experimentation showed it to be of high quality. The final solution is as follows:

$gscommand = "gs -dNOPAUSE -dBATCH -r300 -dDownScaleFactor=3  -sDEVICE=png16m -sOutputFile=\"" .$file . "_%d.png\"  " . $file . ".pdf";
$returnedvalue = exec($gscommand);

In closing, this seems to be a pretty common problem without a solution other than use a different program. One recommended is pdftoppm which I did not find how to install on a shared host system and with Ghostscript doing the job there is no need to figure that out.

I hope this post helps others faced with this problem.

Attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408

I also faced same issue, when I tried to parse pdf using pyocr

wand.exceptions.PolicyError: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408

To solve this issue, I edit policy.xml of ImageMagick-6. In that file, change the policy rights to read/write

<policy domain="coder" rights="none" pattern="PDF" />

change to

<policy domain="coder" rights="read|write" pattern="PDF" />

If it doesn't solve your issue, you can also enable the below line in same file.

<!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->

change to

<policy domain="module" rights="read|write" pattern="{PS,PDF,XPS}" /> 

ImageMagick unable to convert PDF to images on WSL

You can find it like this:

identify -list configure | grep CONFIGURE_PATH

Failing that, use this search.

Failing that, use find in your WSL environment like this:

find / -name policy.xml 2> /dev/null

Failing that, just use Windows' Search to find a file calledpolicy.xml

ImageMagick convert adds whitespace when converting PDF to PNG

The hint from KenS was exactly what I was looking for - the PDF defines a CropBox that ImageMagick 7.1.0 was not using by default. The solution therefore is to modify the command to include the following -define information:

convert -define pdf:use-cropbox=true file.pdf /tmp/file.png 

Thank you all for your help!

---

Related Topics