Commit 30fa8ba8c for imagemagick.org

commit 30fa8ba8cfaf5bebf8035ed4b87f8e9766238fe7
Author: Cristy <urban-warrior@imagemagick.org>
Date:   Thu Feb 5 08:04:10 2026 -0500

    protect against relative paths

diff --git a/config/policy-secure.xml b/config/policy-secure.xml
index bc2763b72..87b20334f 100644
--- a/config/policy-secure.xml
+++ b/config/policy-secure.xml
@@ -93,6 +93,8 @@
   <policy domain="path" rights="none" pattern="fd:*"/>
   <!-- don't read sensitive paths. -->
   <policy domain="path" rights="none" pattern="/etc/*"/>
+  <!-- Relative paths are not permitted. -->
+  <policy domain="path" rights="none" pattern="\.\.\/"/>
   <!-- Indirect reads are not permitted. -->
   <policy domain="path" rights="none" pattern="@*"/>
   <!-- These image types are security risks on read, but write is fine -->
diff --git a/config/policy-websafe.xml b/config/policy-websafe.xml
index 9c7a5b8c9..48eca735d 100644
--- a/config/policy-websafe.xml
+++ b/config/policy-websafe.xml
@@ -89,6 +89,8 @@
   <policy domain="path" rights="none" pattern="fd:*"/>
   <!-- don't read sensitive paths. -->
   <policy domain="path" rights="none" pattern="/etc/*"/>
+  <!-- Relative paths are not permitted. -->
+  <policy domain="path" rights="none" pattern="\.\.\/"/>
   <!-- Indirect reads are not permitted. -->
   <policy domain="path" rights="none" pattern="@*"/>
   <!-- Deny all image modules and specifically exempt reading or writing