From decc3481323de4f6e4b27d60251a7d848f549bd9 Mon Sep 17 00:00:00 2001
From: rhamaa <r4m@protonmail.com>
Date: Thu, 17 Jan 2019 07:19:19 +0800
Subject: [PATCH 1/3] Escape string against shell command inject

---
 Command.php | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/Command.php b/Command.php
index a5a19ee..7fb3e29 100644
--- a/Command.php
+++ b/Command.php
@@ -223,13 +223,9 @@ public function getCommand(): string
     /**
      * Escapes a string in order to inject it in the shell command.
      */
-    public function escape(string $string, bool $addQuotes = true): string
+    public function escape(string $string, bool $addQuotes = false): string
     {
-        $string = str_replace(
-            ['"', '`', '’', '\\\''],
-            ['\"', "'", "'", "'"],
-            trim($string)
-        );
+        $string = escapeshellarg($string);
 
         return $addQuotes ? '"'.$string.'"' : $string;
     }

From 20f171e13c14e7ef105113945cc7d5e01696680d Mon Sep 17 00:00:00 2001
From: rhamaa <r4m@protonmail.com>
Date: Thu, 17 Jan 2019 23:50:43 +0800
Subject: [PATCH 2/3] Fix test case

---
 Command.php           | 4 ++--
 Tests/CommandTest.php | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/Command.php b/Command.php
index 7fb3e29..3377bf7 100644
--- a/Command.php
+++ b/Command.php
@@ -223,11 +223,11 @@ public function getCommand(): string
     /**
      * Escapes a string in order to inject it in the shell command.
      */
-    public function escape(string $string, bool $addQuotes = false): string
+    public function escape(string $string): string
     {
         $string = escapeshellarg($string);
 
-        return $addQuotes ? '"'.$string.'"' : $string;
+        return $string;
     }
 
     /**
diff --git a/Tests/CommandTest.php b/Tests/CommandTest.php
index 0fa9936..c2efd05 100644
--- a/Tests/CommandTest.php
+++ b/Tests/CommandTest.php
@@ -197,13 +197,13 @@ public function testInexistingFiles()
 
     public function testEscape()
     {
-        $string = 'PSR\'s a great `code` style standard. ';
+        $string = '25% $(touch hacked) #';
 
         $command = new Command(IMAGEMAGICK_DIR);
 
-        $escaped = $command->escape($string, true);
+        $escaped = $command->escape($string);
 
-        $this->assertEquals('"PSR\'s a great \'code\' style standard."', $escaped);
+        $this->assertEquals("'25% $(touch hacked) #'", $escaped);
     }
 
 }

From 1dd72d634a208ccbe99e21f6a5d42f23a17c4946 Mon Sep 17 00:00:00 2001
From: rhamaa <r4m@protonmail.com>
Date: Fri, 18 Jan 2019 00:29:50 +0800
Subject: [PATCH 3/3] Fix test case 2

---
 Tests/CommandTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Tests/CommandTest.php b/Tests/CommandTest.php
index c2efd05..c52d108 100644
--- a/Tests/CommandTest.php
+++ b/Tests/CommandTest.php
@@ -153,7 +153,7 @@ public function testCommandString($source, $output, $geometry, $quality)
 
         $expected = ' '.$command->getExecutable('convert').
                     ' "'.$source.'"'.
-                    ' -thumbnail "'.$geometry.'"'.
+                    ' -thumbnail \''.$geometry.'\''.
                     ' -quality '.$quality.
                     ' "'.$output.'" ';