Trouble with batch conversion of .png to .pdf using convert
Solution 1
convert
is a powerful command line tool to convert graphics. Its support for PDF is provided by Ghostscript. Because of a significant security hole in Ghostscript prior to version 9.24, use of convert
on PDF files has been blocked as a stopgap. The issue has been fixed since Ghostscript version 9.24. While Ghostscript versions are updated to secure versions in all supported Ubuntu versions (at this time from Ubuntu 16.04 onwards), the usage restriction may still be in place.
The policy file is /etc/ImageMagick-6/policy.xml
. You may edit that file as root user to change the policies.
Eliminating all usage restrictions
For desktop users not running a webserver, simply eliminating these restrictions might be good enough. To that aim, one may delete the file, but it is better practice to "move the file out" by renaming it. With this command, you are renaming the file. As a result, all policies are lifted, but you still can revert if needed:
sudo mv /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xmlout
To revert to the original situation, just rename back to the original name:
sudo mv /etc/ImageMagick-6/policy.xmlout /etc/ImageMagick-6/policy.xml
Be well aware that moving the policy file out decreases system security.
Eliminating only the restriction to combine into PDF
For your specific case, gene_wood in a comment pointed to the posibility to selectively relax the policy for working with PDF files by commenting out one line:
<policy domain="coder" rights="none" pattern="PDF" />
Edit the file, and place comment marks around this line to disable this rule:
<!-- <policy domain="coder" rights="none" pattern="PDF" /> -->
If you do not want to eliminate all security policies, this is the way to go.
Solution 2
As vanadium posted, you have to change the ImageMagick policy.
sudo vim /etc/ImageMagick-6/policy.xml
and replace the line
<policy domain="coder" rights="none" pattern="PDF" />
with
<policy domain="coder" rights="read|write" pattern="PDF" />
If you only want to allow write, and not read, you can also erase the read|
part in the line above.
BTW, for those who are interested about the ImageMagick vulnerability, here are 2 informational links:
- https://www.enisa.europa.eu/publications/info-notes/what2019s-behind-imagemagick-vulnerability
- https://security.stackexchange.com/questions/122328/how-to-prevent-the-latest-imagemagick-vulnerability
Solution 3
Rather than re-loosening ImageMagick's security restrictions, I'd just use img2pdf.
It's specifically designed for this kind of use-case.
You should use img2pdf if your priorities are (in this order):
- always lossless: the image embedded in the PDF will always have the exact same color information for every pixel as the input
- small: if possible, the difference in filesize between the input image and the output PDF will only be the overhead of the PDF container itself
- fast: if possible, the input image is just pasted into the PDF document as-is without any CPU hungry re-encoding of the pixel data
Conventional conversion software (like ImageMagick) would either:
- not be lossless because lossy re-encoding to JPEG
- not be small because using wasteful flate encoding of raw pixel data
- not be fast because input data gets re-encoded
Another advantage of not having to re-encode the input (in most common situations) is, that img2pdf is able to handle much larger input than other software, because the raw pixel data never has to be loaded into memory.
This should be the equivalent command:
img2pdf --out myfile.pdf /home/bill/TempScan/*.png
If, for some reason, you can't do that (eg. can't install new packages), another potential avenue for lossless conversion would be to convert
your images into a multi-page TIFF file and then use tiff2pdf
from the libtiff tools.
Solution 4
Solution of abu_bua's solution really worked well for me. For convenience here in one command line with sed
:
sudo sed -i 's/rights="none" pattern="PDF"/rights="read|write" pattern="PDF"/g' /etc/ImageMagick-6/policy.xml
Solution 5
Here's an even more convenient way that automatically gets the location(s) of the policy.xml file(s) and performs the search/replace on them all:
for file in `convert -list policy | grep "Path:" | grep -v built | sed 's/Path: \(.*\)/\1/g'`; do sed -i 's/domain="coder" rights="none" pattern="PDF"/domain="coder" rights="read|write" pattern="PDF"/g' $file; done
Related videos on Youtube
bill-lancaster
Updated on September 18, 2022Comments
-
bill-lancaster over 1 year
convert /home/bill/TempScan/*.png myfile.pdf
gives error message:
convert-im6.q16: not authorized `myfile.pdf' @ error/constitute.c/WriteImage/1037.
Any help would be appreciated!
-
Admin about 4 yearsYou should remove the word batch from the title. Google directs to the duplicate askubuntu.com/questions/1127260/imagemagick-convert-not-allowed with common search terms.
-
Admin almost 2 years
-
Admin almost 2 yearsIf you convert a GIF to a JPG and face the error message, you have to remove the
-write
command. See details in the imagemagick forum at legacy.imagemagick.org/discourse-server/viewtopic.php?t=36460
-
-
bill-lancaster over 5 yearsThanks vanadium, I renamed the file as suggested and it worked a treat.
-
gene_wood over 5 yearsI went into the
policy.xml
file and found the line that was preventing me from combiningpng
files intopdf
s and commented it out. That line was<policy domain="coder" rights="none" pattern="PDF" />
if you'd like to leave the other rules intact but allow working withpdf
s. -
vanadium over 5 years@gene_wood, thank you: I added to the post because it provides more insight and options for users wanting to be more careful in eliminating restrictions.
-
Geppettvs D'Constanzo over 5 yearsOk, this works in Ubuntu 18.04 with imagemagick 8:6.9.7.4+dfsg-16ubuntu6.4. Thank you.
-
The Ledge about 5 yearsThe second method worked for me, but the first didn't.
-
qwertz about 4 yearsAm I the only one thinking enabling this "feature" by default is pretty stupid? Reminds me of the automatically turned on "magic quotes" in earlier versions of php..
-
vanadium about 4 years@qwertz Apparently, they did that because of a vulnerability bug in Ghostscript, which now should be solved. So possibly, this restriction on convert (which uses Ghostscript for this) will not be set anymore in future Ubuntu versions.
-
sudodus almost 4 years+1 for good workarounds to avoid ImageMagick's security restrictions :-)
-
Francisco Luz over 3 yearsShort and straight to the point. Great answer.
-
equivalent8 over 3 yearsone more link to this security issue cromwell-intl.com/open-source/pdf-not-authorized.html but in this article Author states that "PostScript defines a language with unfixable security problems." and "On a server that allows untrusted users to upload data for processing, ImageMagick should have PostScript and PDF disabled" worth reading