Escape string against shell command inject

[mfakbar127]

Using escapeshellarg() instead escape hard filter.

Here is the test.

<?php

function escape($string,$addQuotes = true)
{
        $string = str_replace(
            ['"', '`', '’', '\\\''],
            ['\"', "'", "'", "'"],
            trim($string)
        );
        return $addQuotes ? '"'.$string.'"' : $string;
}

function escape_safe($string,$addQuotes = false)
{
 		$string = escapeshellarg($string);
        return $addQuotes ? '"'.$string.'"' : $string;
}

$cmd = '$(uname -a)';

$escape_cmd = escape($cmd);
$command = "/usr/bin/convert logo.png -resize " . $escape_cmd . " result.png";
echo $command . PHP_EOL;
echo exec($command);

echo "\n\n";

$escape_cmd = escape_safe($cmd);
$command = "/usr/bin/convert logo.png -resize " . $escape_cmd . " result.png";
echo $command . PHP_EOL;
echo exec($command);

[Pierstoval]

Fine for me, can you fix the tests?

[mfakbar127]

I dont understand, can you explain it ?

[Pierstoval]

The PHPUnit test suite is failing, this is due to the fact that some tests must be updated according to the change you made.

Run composer install on the project and then execute vendor/bin/phpunit to see what exact tests are failing 🙂

[mfakbar127]

In fact i dont install the project.
I just read source code of command.php, then i saw there is unsecure escape method in command class.
I think better to use escapeshellarg instead hard code escape.

[Pierstoval]

Yeah, you're right, but this breaks the phpunit tests...

Nevermind, I'll find some time soon and fix this myself..

[mfakbar127]

i already fixed phpunit test case issuein my latest commit.
hope you can fix your imagemagick compile issue

[Pierstoval]

I will take this PR and update it, thanks @rhamaa