ImageMagick 安全策略“PDF"阻止转换 [英] ImageMagick security policy 'PDF' blocking conversion

问题描述

Imagemagick 安全策略似乎不允许我执行从 pdf 到 png 的这种转换.转换其他扩展似乎有效，只是不能从 pdf 转换.自从安装 imagemagick 以来，我没有更改任何设置...如果操作系统很重要，我使用的是 Arch Linux.

The Imagemagick security policy seems to be not allowing me perform this conversion from pdf to png. Converting other extensions seem to be working, just not from pdf. I haven't changed any of the imagemagick settings since I installed it... I am using Arch Linux, if the OS matters.

user@machine $ convert -density 300 -depth 8 -quality 90 input.pdf output.png
convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
convert: no images defined `output.png' @ error/convert.c/ConvertImageCommand/3288.

推荐答案

在修复 Ghostscript 后保留了 ImageMagick 更改，因为应用程序(尤其是 Web 应用程序)经常将任意用户提供的文件提供给 ImageMagick，并不总是强制执行格式限制正确地，而且，由于 Postscript(PDF 使用的)是一种在沙箱中运行的图灵完备的编程语言，因此沙箱中总有可能出现另一个漏洞.

The ImageMagick change was kept after Ghostscript was fixed because applications (especially web applications) often feed arbitrary user-supplied files to ImageMagick, don't always enforce format restrictions properly, and, since Postscript (which PDF uses) is a turing-complete programming language running in a sandbox, there's always the possibility of another hole in the sandbox.

最好保持配置，以便 ImageMagick 拒绝处理需要运行程序的文件，而是在您故意想要允许 Postscript 渲染时直接调用 Ghostscript.

It's much better to leave things configured so ImageMagick refuses to process files that require running a program and, instead, just invoke Ghostscript directly when you intentionally want to permit Postscript rendering.

这将通过像这样的 Ghostscript 命令来完成:

That would be accomplished by a Ghostscript command like this:

gs -dSAFER -r600 -sDEVICE=pngalpha -o foo.png myfile.pdf

是的，这是 ImageMagic 调用的 GhostScript 命令的变体.(参见 ImageMagick 的 delegates.xml.-o 是 -dBATCH -dNOPAUSE -sOutputFile= 的简写)

Yes, this is a variation on the GhostScript command ImageMagic calls. (see ImageMagick's delegates.xml. -o is shorthand for -dBATCH -dNOPAUSE -sOutputFile=)

重要的是 ImageMagick 保持锁定状态，您无需不必要地调用中间程序，并且您可以更好地控制渲染参数.(例如，-r600 是要渲染的 DPI，更改 -sDEVICE=pngalpha 允许您直接渲染为所需的格式)

What's important is that ImageMagick stays locked down, you don't needlessly invoke an intermediate program, and you get more control over the rendering parameters. (eg. -r600 is the DPI to render at and changing -sDEVICE=pngalpha allows you to render directly to your desired format)

这篇关于ImageMagick 安全策略“PDF"阻止转换的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！