# pict-rs 0.5.5

## Overview

pict-rs 0.5.5 adds a bugfix for uploading images with trailing bytes and few new features for
advanced deployments.

### Features

- [Imagemagick Security Policy Configuration](#imagemagick-security-policy-configuration)
- [Serving with TLS](#serving-with-tls)


### Bugfixes

- [Broken Pipe Error](#broken-pipe-error)


## Upgrade Notes

There's no significant changes from 0.5.4, so upgrading should be as simple as pulling a new version
of pict-rs.


## Descriptions

### Imagemagick Security Policy Configuration

pict-rs now supports configuring the imagemagick security policy via the pict-rs.toml file,
environment variables, or via the commandline. The security policy defines the boundaries that
imagemagick will operate with, and will allow it to abort processing media that would exceed those
boundaries.

Currently, there are only a few items that can be configured.
```toml
# pict-rs.toml
[media.magick]
max_width = 10000
max_hight = 10000
max_area = 40000000
```
```bash
# environment variables
PICTRS__MEDIA__MAGICK__MAX_WIDTH=10000
PICTRS__MEDIA__MAGICK__MAX_HEIGHT=10000
PICTRS__MEDIA__MAGICK__MAX_AREA=40000000
```
```bash
# commandline
pict-rs run \
    --media-magick-max-width 10000 \
    --media-magick-max-height 10000 \
    --media-magick-max-aread 40000000
```

It will also apply the configured `process_timeout` to the security policy.


### Serving with TLS

pict-rs can now be configured to serve itself over TLS if provided with a server key and a server
certificate. This is for more advanced deployments that have Certificate Authority infrastructure in
place. When serving over TLS, downstream services need to be configured to access pict-rs over TLS.

```toml
# pict-rs.toml
[server]
certificate = "/path/to/server.crt"
private_key = "/path/to/server.key"
```
```bash
# environment variables
PICTRS__SERVER__CERTIFICATE=/path/to/server.crt
PICTRS__SERVER__PRIVATE_KEY=/path/to/server.key
```
```bash
# commandline
pict-rs run \
    --certificate /path/to/server.crt \
    --private-key /path/to/server.key
```


### Broken Pipe Error

In previous 0.5 releases with the default configurations, it was possible for valid images to fail
to upload if they contained excess trailing bytes. This was caused by exiftool completing metadata
processing on the image bytes before pict-rs had written the entire buffer to exiftool's stdin. The
fix was to simply treat the case of stdin closing early as a success, rather than a failure. In the
event there was actually an error in exiftool, the command will fail and pict-rs will return a
proper status error instead.