imagemagick: Disable insecure coders (ImageTragick)

See:

  * https://imagetragick.com/
  * https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588

2 files changed, 17 insertions, 0 deletions

diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix
index 6957002f6e81..b97eb5a6580a 100644
--- a/pkgs/applications/graphics/ImageMagick/default.nix
+++ b/pkgs/applications/graphics/ImageMagick/default.nix
@@ -24,6 +24,8 @@ stdenv.mkDerivation rec {
     sha256 = "0q19jgn1iv7zqrw8ibxp4z57iihrc9kyb09k2wnspcacs6vrvinf";
   };
 
+  patches = [ ./imagetragick.patch ];
+
   outputs = [ "out" "doc" ];
 
   enableParallelBuilding = true;
diff --git a/pkgs/applications/graphics/ImageMagick/imagetragick.patch b/pkgs/applications/graphics/ImageMagick/imagetragick.patch
new file mode 100644
index 000000000000..bdb152dd23a8
--- /dev/null
+++ b/pkgs/applications/graphics/ImageMagick/imagetragick.patch
@@ -0,0 +1,15 @@
+diff --git a/config/policy.xml b/config/policy.xml
+index ca3b022..b058c05 100644
+--- a/config/policy.xml
++++ b/config/policy.xml
+@@ -58,4 +58,10 @@
+   <!-- <policy domain="resource" name="time" value="3600"/> -->
+   <!-- <policy domain="system" name="precision" value="6"/> -->
+   <policy domain="cache" name="shared-secret" value="passphrase"/>
++
++  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
++  <policy domain="coder" rights="none" pattern="URL" />
++  <policy domain="coder" rights="none" pattern="HTTPS" />
++  <policy domain="coder" rights="none" pattern="MVG" />
++  <policy domain="coder" rights="none" pattern="MSL" />
+ </policymap>