Magick on tmp files, allow tmp files in policy

Cargo.lock

@@ -995,7 +995,7 @@ dependencies = [
 
 [[package]]
 name = "pict-rs"
-version = "0.3.0-alpha.15"
+version = "0.3.0-alpha.16"
 dependencies = [
  "actix-form-data",
  "actix-fs",

Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "pict-rs"
 description = "A simple image hosting service"
-version = "0.3.0-alpha.15"
+version = "0.3.0-alpha.16"
 authors = ["asonix <asonix@asonix.dog>"]
 license = "AGPL-3.0"
 readme = "README.md"

docker/dev/root/usr/local/lib/ImageMagick-7.1.0/config-Q16HDRI/policy.xml

@@ -1,20 +0,0 @@
-<policymap>
-    <policy domain="resource" name="memory" value="256MiB" />
-    <policy domain="resource" name="list-length" value="32" />
-    <policy domain="resource" name="width" value="10KP" />
-    <policy domain="resource" name="height" value="10KP" />
-    <policy domain="resource" name="map" value="512MiB" />
-    <policy domain="resource" name="area" value="16KP" />
-    <policy domain="resource" name="disk" value="1GiB" />
-    <policy domain="resource" name="file" value="768" />
-    <policy domain="resource" name="thread" value="2" />
-    <policy domain="coder" rights="none" pattern="*" />
-    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
-    <policy domain="filter" rights="none" pattern="*" />
-    <policy domain="path" rights="none" pattern="@*" />
-    <policy domain="delegate" rights="none" pattern="*" />
-    <policy domain="module" rights="none" pattern="*" />
-    <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
-        <!-- indirect reads not permitted -->
-    <policy domain="system" name="precision" value="6" />
-</policymap>

docker/prod/root/usr/lib/ImageMagick-7.0.11/config-Q16HDRI/policy.xml

@@ -9,12 +9,12 @@
     <policy domain="resource" name="file" value="768" />
     <policy domain="resource" name="thread" value="2" />
     <policy domain="coder" rights="none" pattern="*" />
-    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+    <policy domain="coder" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP,MP4,TMP}" />
     <policy domain="filter" rights="none" pattern="*" />
     <policy domain="path" rights="none" pattern="@*" />
     <policy domain="delegate" rights="none" pattern="*" />
     <policy domain="module" rights="none" pattern="*" />
-    <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP}" />
+    <policy domain="module" rights="read | write" pattern="{GIF,JPEG,PNG,WEBP,MP4,TMP}" />
         <!-- indirect reads not permitted -->
     <policy domain="system" name="precision" value="6" />
 </policymap>

src/main.rs

@@ -400,7 +400,12 @@ async fn process(
         safe_create_parent(&thumbnail_path).await?;
 
         // apply chain to the provided image
-        magick::process_image(&original_path, &thumbnail_path, thumbnail_args, format).await?;
+        let dest_file = tmp_file();
+        let orig_file = tmp_file();
+        actix_fs::copy(original_path, orig_file.clone()).await?;
+        magick::process_image(&orig_file, &dest_file, thumbnail_args, format).await?;
+        actix_fs::remove_file(orig_file).await?;
+        actix_fs::rename(dest_file, thumbnail_path.clone()).await?;
 
         let details = if let Some(details) = details {
             details