How to customize ImageMagick configuration

Say you want to support large images or different image formats. These are defined in configuration files listed here. You can override the defaults set by Platform.sh by providing one or more of these files and placing them in a custom path stored in MAGICK_CONFIGURE_PATH variable.

For example, if you have a custom policy.xml file defining how to process large files:

  1. Place the policy.xml in a location which is not publicly accessible (for example, in /app/imagemagick directory).

  2. Create an environment variable env:MAGICK_CONFIGURE_PATH with the value of /app/your_policy_directory as the location. In .platform.app.yaml:

    variables:
      env:
        MAGICK_CONFIGURE_PATH: "/app/imagemagick"
    

Afterwards, your custom settings should override the defaults.

Thank you for sharing this!

I just tried to enable PDF thumbnail generation in my PHP 8.0 app (which runs ImageMagick 6.9.10-23).

<policymap>
    <policy domain="coder" rights="read|write" pattern="PDF" />
</policymap>

Turns out the custom policy file gets picked up correctly, by running “convert -list policy”.
But you can’t allow stuff that is disabled globally as it’s stated here https://stackoverflow.com/a/52719789

So, any ideas how to enable PDF thumbnails in PHP 8.0 apps?
(PHP 7.4 with ImageMagick 6.9.7-4 worked perfectly)


SOLVED: for PDF thumbnail generation you only need read access, which seems to be accepted

<policymap>
    <policy domain="coder" rights="read" pattern="PDF" />
</policymap>

For PHP 8.0 I was able to get this to work via the following changes.

The big change is re-including the default policy path to set the order of policy preferences correctly.

Still waiting on the maintainers to reactive these settings by default.

variables:
    env:
        MAGICK_CONFIGURE_PATH: "/app/.magick/:/etc/ImageMagick-6/"

runtime:
    extensions:
        - imagick
<policymap>
    <policy domain="coder" rights="read | write" pattern="PDF" />
</policymap>

Interesting. Based on the claim that it’s not allowed to override this for security reasons from the global defaults, being able to override by specifying the default directory explicitly feels like a (security) bug that might break again in the future as everyone can change the environment variable like this?

Is this approach still working for those on this thread?

I tried the above along with some variations and although the custom policy shows up in “convert -list policy” an attempt to generate a jpg from a pdf get the same error →

“convert-im6.q16: attempt to perform an operation not allowed by the security policy `PDF’ @ error/constitute.c/IsCoderAuthorized/408.”