Reputation: 8876
The Imagemagick security policy seems to be not allowing me perform this conversion from pdf to png. Converting other extensions seem to be working, just not from pdf. I haven't changed any of the imagemagick settings since I installed it... I am using Arch Linux, if the OS matters.
user@machine $ convert -density 300 -depth 8 -quality 90 input.pdf output.png
convert: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/408.
convert: no images defined `output.png' @ error/convert.c/ConvertImageCommand/3288.
Upvotes: 892
Views: 455121
Reputation: 180
For those who are struggling with PHP returning "attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/413" error, after changing policy.xml you need to re-install php-imagick module!! I've spent hours playing with policy.xml and restarting Apache, but only re-installing php-imagick helped:
policy.xml:
<policy domain="coder" rights="read | write" pattern="PDF" />
And then
sudo apt remove php-imagick
sudo apt update
sudo apt install php-imagick
Upvotes: 0
Reputation: 73
Thank you @tanius and others for the detailed answers !
I'd just add to it the following points.
The path of the policy file policy.xml may change with the version of the ImageMagick like /etc/ImageMagick-6/policy.xml or /etc/ImageMagick-7/policy.xml etc. So update it accordingly.
As the policy to prevent or allow the conversion for some filetypes is a security measure, you may like to reset the changes to the policy.xml after the task is done so that there is no possibilty of the corresponding attack, if the system is accessible to attackers !
Happy speedy file conversions meanwhile !
Upvotes: 1
Reputation: 905
I was experiencing this issue with nextcloud which would fail to create thumbnails for pdf files.
However, none of the suggested steps would solve the issue for me.
Eventually I found the reason: The accepted answer did work but I had to also restart php-fpm after editing the policy.xml file:
sudo systemctl restart php7.2-fpm.service
Upvotes: 16
Reputation: 16849
This issue is a workaround for a security vulnerability. The vulnerability has been addressed in Ghostscript 9.24, so if you have that or a newer version, you don't need the workaround anymore.
On Ubuntu 19.04 through 22.04 and probably any later versions with ImageMagick 6, here's how you fix the issue by removing that workaround:
Make sure you have Ghostscript ā„9.24:
gs --version
If yes, just remove this whole following section from /etc/ImageMagick-6/policy.xml
:
<!-- disable ghostscript format types -->
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
Details: Removing just the line with pattern="PDF"
inside would be enough to re-enable PDF conversion. On my computer, I removed the lines for the other PostScript-based filetypes as well just because I can't see a reason to prevent Image Magick from working with such files. (Talking about a personal computer only. On a web server, you might consider it dangerous as PostScript-based files can contain scripts ā¦ actually, PostScript is script.)
Attribution: @jakob-r's comment on another answer. Plus the helpful comments below ā š
Upvotes: 675
Reputation: 541
Manjaro April 2021
Just remove uncommented line inside <policymap>
in /etc/ImageMagick-7/policy.xml
Upvotes: 4
Reputation: 319
On Ubuntu 19.10, I have done this in /etc/ImageMagick-6/policy.xml
uncomment this
<policy domain="module" rights="read | write" pattern="{PS,PDF,XPS}" />
and comment this
<!-- <policy domain="coder" rights="none" pattern="PDF" /> -->
After that, this command work without error
convert -thumbnail x300 -background white -alpha remove sample.pdf sample.png
Upvotes: 21
Reputation: 4540
In my case i'm useing ubuntu 20.10 and the Imagick-7.
in my /etc/ImageMagick-6/policy.xml I've removed below lines, restarted my machine and I'm done.
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
Upvotes: 10
Reputation: 14011
As a highly active comment by @Richard Kiefer, a simple fix is like this
$ sudo sed -i '/disable ghostscript format types/,+6d' /etc/ImageMagick-6/policy.xml
Upvotes: 34
Reputation: 1093
For me on Arch Linux, I had to comment this:
<policy domain="delegate" rights="none" pattern="gs" />
Upvotes: 58
Reputation: 10597
Well, I added
<policy domain="coder" rights="read | write" pattern="PDF" />
just before </policymap>
in /etc/ImageMagick-7/policy.xml
and that makes it work again, but not sure about the security implications of that.
Upvotes: 931
Reputation: 15355
The ImageMagick change was kept after Ghostscript was fixed because applications (especially web applications) often feed arbitrary user-supplied files to ImageMagick, don't always enforce format restrictions properly, and, since Postscript (which PDF uses) is a turing-complete programming language running in a sandbox, there's always the possibility of another hole in the sandbox.
It's much better to leave things configured so ImageMagick refuses to process files that require running a program and, instead, just invoke Ghostscript directly when you intentionally want to permit Postscript rendering.
That would be accomplished by a Ghostscript command like this:
gs -dSAFER -r600 -sDEVICE=pngalpha -o foo.png myfile.pdf
Yes, this is a variation on the GhostScript command ImageMagic calls. (see ImageMagick's delegates.xml
. -o
is shorthand for -dBATCH -dNOPAUSE -sOutputFile=
)
What's important is that ImageMagick stays locked down, you don't needlessly invoke an intermediate program, and you get more control over the rendering parameters. (eg. -r600
is the DPI to render at and changing -sDEVICE=pngalpha
allows you to render directly to your desired format)
Upvotes: 49
Reputation: 675
Adding to Stefan Seidel's answer.
Well, at least in Ubuntu 20.04.2 LTS or maybe in other versions you can't really edit the policy.xml file directly in a GUI way. Here is a terminal way to edit it.
Open the policy.xml file in terminal by entering this command -
sudo nano /etc/ImageMagick-6/policy.xml
Now, directly edit the file in terminal, find
<policy domain="coder" rights="none" pattern="PDF" />
and replace none
with read|write
as shown in the picture. Then press Ctrl+X to exit.
Upvotes: 26
Reputation: 3992
Works in Ubuntu 20.04
Add this line inside <policymap>
<policy domain="module" rights="read|write" pattern="{PS,PDF,XPS}" />
Comment these lines:
<!--
<policy domain="coder" rights="none" pattern="PS" />
<policy domain="coder" rights="none" pattern="PS2" />
<policy domain="coder" rights="none" pattern="PS3" />
<policy domain="coder" rights="none" pattern="EPS" />
<policy domain="coder" rights="none" pattern="PDF" />
<policy domain="coder" rights="none" pattern="XPS" />
-->
Upvotes: 32
Reputation: 2344
As pointed out in some comments, you need to edit the policies of ImageMagick in /etc/ImageMagick-7/policy.xml
. More particularly, in ArchLinux at the time of writing (05/01/2019) the following line is uncommented:
<policy domain="coder" rights="none" pattern="{PS,PS2,PS3,EPS,PDF,XPS}" />
Just wrap it between <!--
and -->
to comment it, and pdf conversion should work again.
Upvotes: 186
Reputation: 391
For me on my archlinux system the line was already uncommented. I had to replace "none" by "read | write " to make it work.
Upvotes: 39