douwuying4709 2015-06-14 23:48
浏览 149

防止用户注入,通过命令行运行imagemagick

I'm developing a web app where users will supply UTF8 text that will be rendered onto images using imagemagik. I'm calling the convert command through PHP's shell execute command.

I'm not well versed on sanitizing user input (for injection) for command line operations and have been having trouble finding resources about my exact situation.

The following article sounds like I don't have much to worry about if the user input is entirely enclosed in quotes in the bash command:

Sanitize user input in bash for security purposes

So my question is, what do I need to worry about for user sanitation/escaping in the following usage

    <?php

    //GET USER SUPPLIED POST DATA
    $user_input = $_POST['text'];

    //CALL IMAGEMAGIK VIA COMMAND LINE TO RENDER IMAGE
    exec("convert -pointsize 50 -draw 'text 50,50 \"".$user_input."\" ' /source.png /output.png");

EDIT: Since posting I realized I should just be running imagemagick as an installed library in php... so now I guess, same question, but using the php object methods.

  • 写回答

1条回答 默认 最新

  • dqmfo84644 2015-06-15 20:09
    关注

    You can always put user input to a text file and then use @ filename prefix to read it. This way it won't make into a command line ever.

    $user_input = addslashes($user_input);
    file_put_contents("input.txt", "text 50,50 $user_input");
    exec("convert -pointsize 50 -draw @input.txt /source.png /output.png");
    
    评论

报告相同问题?

悬赏问题

  • ¥15 矩阵加法的规则是两个矩阵中对应位置的数的绝对值进行加和
  • ¥15 活动选择题。最多可以参加几个项目?
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题
  • ¥20 云服务Linux系统TCP-MSS值修改?
  • ¥20 关于#单片机#的问题:项目:使用模拟iic与ov2640通讯环境:F407问题:读取的ID号总是0xff,自己调了调发现在读从机数据时,SDA线上并未有信号变化(语言-c语言)
  • ¥20 怎么在stm32门禁成品上增加查询记录功能
  • ¥15 Source insight编写代码后使用CCS5.2版本import之后,代码跳到注释行里面
  • ¥50 NT4.0系统 STOP:0X0000007B
  • ¥15 想问一下stata17中这段代码哪里有问题呀