mirror of
https://git.asonix.dog/asonix/pict-rs.git
synced 2025-01-22 09:18:08 +00:00
92 lines
2.6 KiB
Markdown
92 lines
2.6 KiB
Markdown
|
# pict-rs 0.5.5
|
||
|
|
||
|
## Overview
|
||
|
|
||
|
pict-rs 0.5.5 adds a bugfix for uploading images with trailing bytes and few new features for
|
||
|
advanced deployments.
|
||
|
|
||
|
### Features
|
||
|
|
||
|
- [Imagemagick Security Policy Configuration](#imagemagick-security-policy-configuration)
|
||
|
- [Serving with TLS](#serving-with-tls)
|
||
|
|
||
|
|
||
|
### Bugfixes
|
||
|
|
||
|
- [Broken Pipe Error](#broken-pipe-error)
|
||
|
|
||
|
|
||
|
## Upgrade Notes
|
||
|
|
||
|
There's no significant changes from 0.5.4, so upgrading should be as simple as pulling a new version
|
||
|
of pict-rs.
|
||
|
|
||
|
|
||
|
## Descriptions
|
||
|
|
||
|
### Imagemagick Security Policy Configuration
|
||
|
|
||
|
pict-rs now supports configuring the imagemagick security policy via the pict-rs.toml file,
|
||
|
environment variables, or via the commandline. The security policy defines the boundaries that
|
||
|
imagemagick will operate with, and will allow it to abort processing media that would exceed those
|
||
|
boundaries.
|
||
|
|
||
|
Currently, there are only a few items that can be configured.
|
||
|
```toml
|
||
|
# pict-rs.toml
|
||
|
[media.magick]
|
||
|
max_width = 10000
|
||
|
max_hight = 10000
|
||
|
max_area = 40000000
|
||
|
```
|
||
|
```bash
|
||
|
# environment variables
|
||
|
PICTRS__MEDIA__MAGICK__MAX_WIDTH=10000
|
||
|
PICTRS__MEDIA__MAGICK__MAX_HEIGHT=10000
|
||
|
PICTRS__MEDIA__MAGICK__MAX_AREA=40000000
|
||
|
```
|
||
|
```bash
|
||
|
# commandline
|
||
|
pict-rs run \
|
||
|
--media-magick-max-width 10000 \
|
||
|
--media-magick-max-height 10000 \
|
||
|
--media-magick-max-aread 40000000
|
||
|
```
|
||
|
|
||
|
It will also apply the configured `process_timeout` to the security policy.
|
||
|
|
||
|
|
||
|
### Serving with TLS
|
||
|
|
||
|
pict-rs can now be configured to serve itself over TLS if provided with a server key and a server
|
||
|
certificate. This is for more advanced deployments that have Certificate Authority infrastructure in
|
||
|
place. When serving over TLS, downstream services need to be configured to access pict-rs over TLS.
|
||
|
|
||
|
```toml
|
||
|
# pict-rs.toml
|
||
|
[server]
|
||
|
certificate = "/path/to/server.crt"
|
||
|
private_key = "/path/to/server.key"
|
||
|
```
|
||
|
```bash
|
||
|
# environment variables
|
||
|
PICTRS__SERVER__CERTIFICATE=/path/to/server.crt
|
||
|
PICTRS__SERVER__PRIVATE_KEY=/path/to/server.key
|
||
|
```
|
||
|
```bash
|
||
|
# commandline
|
||
|
pict-rs run \
|
||
|
--certificate /path/to/server.crt \
|
||
|
--private-key /path/to/server.key
|
||
|
```
|
||
|
|
||
|
|
||
|
### Broken Pipe Error
|
||
|
|
||
|
In previous 0.5 releases with the default configurations, it was possible for valid images to fail
|
||
|
to upload if they contained excess trailing bytes. This was caused by exiftool completing metadata
|
||
|
processing on the image bytes before pict-rs had written the entire buffer to exiftool's stdin. The
|
||
|
fix was to simply treat the case of stdin closing early as a success, rather than a failure. In the
|
||
|
event there was actually an error in exiftool, the command will fail and pict-rs will return a
|
||
|
proper status error instead.
|