Protecting against user injection, running imagemagik from through command line

118 views Asked by At

I'm developing a web app where users will supply UTF8 text that will be rendered onto images using imagemagik. I'm calling the convert command through PHP's shell execute command.

I'm not well versed on sanitizing user input (for injection) for command line operations and have been having trouble finding resources about my exact situation.

The following article sounds like I don't have much to worry about if the user input is entirely enclosed in quotes in the bash command:

Sanitize user input in bash for security purposes

So my question is, what do I need to worry about for user sanitation/escaping in the following usage

    <?php

    //GET USER SUPPLIED POST DATA
    $user_input = $_POST['text'];

    //CALL IMAGEMAGIK VIA COMMAND LINE TO RENDER IMAGE
    exec("convert -pointsize 50 -draw 'text 50,50 \"".$user_input."\" ' /source.png /output.png");

EDIT: Since posting I realized I should just be running imagemagick as an installed library in php... so now I guess, same question, but using the php object methods.

1

There are 1 answers

0
rostok On

You can always put user input to a text file and then use @ filename prefix to read it. This way it won't make into a command line ever.

$user_input = addslashes($user_input);
file_put_contents("input.txt", "text 50,50 $user_input");
exec("convert -pointsize 50 -draw @input.txt /source.png /output.png");