From 69c14985d034cf1b9add0fdcbacc4d997a576d11 Mon Sep 17 00:00:00 2001
From: Franz Pletz <fpletz@fnordicwalking.de>
Date: Wed, 4 May 2016 01:20:08 +0200
Subject: [PATCH] imagemagick: Disable insecure coders (ImageTragick)

See:

  * https://imagetragick.com/
  * https://www.imagemagick.org/discourse-server/viewtopic.php?f=4&t=29588
---
 .../applications/graphics/ImageMagick/default.nix |  2 ++
 .../graphics/ImageMagick/imagetragick.patch       | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 pkgs/applications/graphics/ImageMagick/imagetragick.patch

diff --git a/pkgs/applications/graphics/ImageMagick/default.nix b/pkgs/applications/graphics/ImageMagick/default.nix
index 6957002f6e8..b97eb5a6580 100644
--- a/pkgs/applications/graphics/ImageMagick/default.nix
+++ b/pkgs/applications/graphics/ImageMagick/default.nix
@@ -24,6 +24,8 @@ stdenv.mkDerivation rec {
     sha256 = "0q19jgn1iv7zqrw8ibxp4z57iihrc9kyb09k2wnspcacs6vrvinf";
   };
 
+  patches = [ ./imagetragick.patch ];
+
   outputs = [ "out" "doc" ];
 
   enableParallelBuilding = true;
diff --git a/pkgs/applications/graphics/ImageMagick/imagetragick.patch b/pkgs/applications/graphics/ImageMagick/imagetragick.patch
new file mode 100644
index 00000000000..bdb152dd23a
--- /dev/null
+++ b/pkgs/applications/graphics/ImageMagick/imagetragick.patch
@@ -0,0 +1,15 @@
+diff --git a/config/policy.xml b/config/policy.xml
+index ca3b022..b058c05 100644
+--- a/config/policy.xml
++++ b/config/policy.xml
+@@ -58,4 +58,10 @@
+   <!-- <policy domain="resource" name="time" value="3600"/> -->
+   <!-- <policy domain="system" name="precision" value="6"/> -->
+   <policy domain="cache" name="shared-secret" value="passphrase"/>
++
++  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
++  <policy domain="coder" rights="none" pattern="URL" />
++  <policy domain="coder" rights="none" pattern="HTTPS" />
++  <policy domain="coder" rights="none" pattern="MVG" />
++  <policy domain="coder" rights="none" pattern="MSL" />
+ </policymap>