wait #5630 @0.75

author vincent@cubedesigners.com <vincent@cubedesigners.com@f5622870-0f3c-0410-866d-9cb505b7a8ef>

Wed, 7 Dec 2022 11:50:51 +0000 (11:50 +0000)

committer vincent@cubedesigners.com <vincent@cubedesigners.com@f5622870-0f3c-0410-866d-9cb505b7a8ef>

Wed, 7 Dec 2022 11:50:51 +0000 (11:50 +0000)
author vincent@cubedesigners.com <vincent@cubedesigners.com@f5622870-0f3c-0410-866d-9cb505b7a8ef>
Wed, 7 Dec 2022 11:50:51 +0000 (11:50 +0000)
committer vincent@cubedesigners.com <vincent@cubedesigners.com@f5622870-0f3c-0410-866d-9cb505b7a8ef>
Wed, 7 Dec 2022 11:50:51 +0000 (11:50 +0000)
diff --git a/.docker/config/imagemagick/policy.xml b/.docker/config/imagemagick/policy.xml

new file mode 100644 (file)

index 0000000..a762202
--- /dev/null
+++ b/.docker/config/imagemagick/policy.xml
@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="UTF-8"?>\r
+<!DOCTYPE policymap [\r
+        <!ELEMENT policymap (policy)+>\r
+        <!ATTLIST policymap xmlns CDATA #FIXED ''>\r
+        <!ELEMENT policy EMPTY>\r
+        <!ATTLIST policy xmlns CDATA #FIXED '' domain NMTOKEN #REQUIRED\r
+                name NMTOKEN #IMPLIED pattern CDATA #IMPLIED rights NMTOKEN #IMPLIED\r
+                stealth NMTOKEN #IMPLIED value CDATA #IMPLIED>\r
+        ]>\r
+<!--\r
+  Configure ImageMagick policies.\r
+\r
+  Domains include system, delegate, coder, filter, path, or resource.\r
+\r
+  Rights include none, read, write, execute and all.  Use | to combine them,\r
+  for example: "read | write" to permit read from, or write to, a path.\r
+\r
+  Use a glob expression as a pattern.\r
+\r
+  Suppose we do not want users to process MPEG video images:\r
+\r
+    <policy domain="delegate" rights="none" pattern="mpeg:decode" />\r
+\r
+  Here we do not want users reading images from HTTP:\r
+\r
+    <policy domain="coder" rights="none" pattern="HTTP" />\r
+\r
+  The /repository file system is restricted to read only.  We use a glob\r
+  expression to match all paths that start with /repository:\r
+\r
+    <policy domain="path" rights="read" pattern="/repository/*" />\r
+\r
+  Lets prevent users from executing any image filters:\r
+\r
+    <policy domain="filter" rights="none" pattern="*" />\r
+\r
+  Any large image is cached to disk rather than memory:\r
+\r
+    <policy domain="resource" name="area" value="1GP"/>\r
+\r
+  Define arguments for the memory, map, area, width, height and disk resources\r
+  with SI prefixes (.e.g 100MB).  In addition, resource policies are maximums\r
+  for each instance of ImageMagick (e.g. policy memory limit 1GB, -limit 2GB\r
+  exceeds policy maximum so memory limit is 1GB).\r
+\r
+  Rules are processed in order.  Here we want to restrict ImageMagick to only\r
+  read or write a small subset of proven web-safe image types:\r
+\r
+    <policy domain="delegate" rights="none" pattern="*" />\r
+    <policy domain="filter" rights="none" pattern="*" />\r
+    <policy domain="coder" rights="none" pattern="*" />\r
+    <policy domain="coder" rights="read|write" pattern="{GIF,JPEG,PNG,WEBP}" />\r
+-->\r
+<policymap>\r
+    <!-- <policy domain="system" name="shred" value="2"/> -->\r
+    <!-- <policy domain="system" name="precision" value="6"/> -->\r
+    <!-- <policy domain="system" name="memory-map" value="anonymous"/> -->\r
+    <!-- <policy domain="system" name="max-memory-request" value="256MiB"/> -->\r
+    <!-- <policy domain="resource" name="temporary-path" value="/tmp"/> -->\r
+    <policy domain="resource" name="memory" value="2GiB"/>\r
+    <policy domain="resource" name="map" value="4GiB"/>\r
+    <policy domain="resource" name="width" value="128KP"/>\r
+    <policy domain="resource" name="height" value="128KP"/>\r
+    <!-- <policy domain="resource" name="list-length" value="128"/> -->\r
+    <policy domain="resource" name="area" value="1.0737GP"/>\r
+    <policy domain="resource" name="disk" value="16GiB"/>\r
+    <policy domain="resource" name="file" value="768"/>\r
+    <policy domain="resource" name="thread" value="8"/>\r
+    <policy domain="resource" name="throttle" value="0"/>\r
+    <!-- <policy domain="resource" name="time" value="3600"/> -->\r
+    <!-- <policy domain="coder" rights="none" pattern="MVG" /> -->\r
+    <!-- <policy domain="module" rights="none" pattern="{PS,PDF,XPS}" /> -->\r
+    <!-- <policy domain="delegate" rights="none" pattern="HTTPS" /> -->\r
+    <!-- <policy domain="path" rights="none" pattern="@*" /> -->\r
+    <!-- <policy domain="cache" name="memory-map" value="anonymous"/> -->\r
+    <!-- <policy domain="cache" name="synchronize" value="True"/> -->\r
+    <!-- <policy domain="cache" name="shared-secret" value="passphrase" stealth="true"/> -->\r
+    <!-- <policy domain="system" name="pixel-cache-memory" value="anonymous"/> -->\r
+    <!-- <policy domain="system" name="shred" value="2"/> -->\r
+    <!-- <policy domain="system" name="precision" value="6"/> -->\r
+    <!-- not needed due to the need to use explicitly by mvg: -->\r
+    <!-- <policy domain="delegate" rights="none" pattern="MVG" /> -->\r
+    <!-- use curl -->\r
+    <policy domain="delegate" rights="none" pattern="URL" />\r
+    <policy domain="delegate" rights="none" pattern="HTTPS" />\r
+    <policy domain="delegate" rights="none" pattern="HTTP" />\r
+    <!-- in order to avoid to get image with password text -->\r
+    <policy domain="path" rights="none" pattern="@*"/>\r
+    <!-- disable ghostscript format types -->\r
+    <policy domain="coder" rights="none" pattern="PS" />\r
+    <policy domain="coder" rights="none" pattern="PS2" />\r
+    <policy domain="coder" rights="none" pattern="PS3" />\r
+    <policy domain="coder" rights="none" pattern="EPS" />\r
+    <policy domain="coder" rights="none" pattern="PDF" />\r
+    <policy domain="coder" rights="none" pattern="XPS" />\r
+</policymap>
+\ No newline at end of file
diff --git a/.docker/docker-compose.yml b/.docker/docker-compose.yml

index af7943451741501aae70a041926de5c015b4d18a..38e5d915b3b782a94782db5011031a11fa5f100a 100644 (file)
--- a/.docker/docker-compose.yml
+++ b/.docker/docker-compose.yml
@@ -118,6 +118,8 @@ services:
        - '/home/extranet/.docker/config/cron/crontab:/etc/crontab'\r
        # Passwords\r
        - '/home/extranet/.docker/config/passwords:/root/passwords'\r
+      # ImageMagick\r
+      - '/home/extranet/.docker/config/imagemagick/policy.xml:/etc/ImageMagick-6/policy.xml'\r
        # Files\r
        - '/data/extranet/ftp:/ftp'\r
        - '/home/extranet/fonts/:/fonts/'\r
diff --git a/inc/ws/Util/html5/master/class.ws.html5.links.php b/inc/ws/Util/html5/master/class.ws.html5.links.php

index 43e9144fa790800576dbddcd046ee8fc0b90fddc..e42f6c6e42aa809dab6ddd5aca583ec5614fa33b 100644 (file)
--- a/inc/ws/Util/html5/master/class.ws.html5.links.php
+++ b/inc/ws/Util/html5/master/class.ws.html5.links.php
@@ -2928,6 +2928,10 @@ class zoomLink extends normalLink
              array('x' => $x, 'y' => $y, 'width' => $w, 'height' => $h),
              $left, $extractOptions, WS_CACHE . '/' . $cachedir . '/' . $compiler->book_id . '/');
  
+        if (!file_exists($leftfile)) {
+            die('Error generating left part ' . $leftfile);
+        }
+
          if (($x + $w) > $bookwidth) {
              if (!isset($attributes['pdf']) || !$attributes['pdf']) {
                  $p = wsDAOBook::getDocumentPage($compiler->book_id, $attributes['page'] + 1);
author	vincent@cubedesigners.com <vincent@cubedesigners.com@f5622870-0f3c-0410-866d-9cb505b7a8ef>
	Wed, 7 Dec 2022 11:50:51 +0000 (11:50 +0000)
committer	vincent@cubedesigners.com <vincent@cubedesigners.com@f5622870-0f3c-0410-866d-9cb505b7a8ef>
	Wed, 7 Dec 2022 11:50:51 +0000 (11:50 +0000)
.docker/config/imagemagick/policy.xml	[new file with mode: 0644]	patch \| blob
.docker/docker-compose.yml		patch \| blob \| history
inc/ws/Util/html5/master/class.ws.html5.links.php		patch \| blob \| history