Permalink
Browse files

escape filenames passed on to exec(); fixes SEC-CORE-007

  • Loading branch information...
1 parent c06c55b commit 95c134e9e087f3c4523fe6cd86ed4e9e1e7af91c @WanWizard WanWizard committed Sep 27, 2016
Showing with 18 additions and 18 deletions.
  1. +18 −18 classes/image/imagemagick.php
@@ -46,15 +46,15 @@ public function load($filename, $return_data = false, $force_extension = false)
{
throw new \RuntimeException("Could not write in the temp directory.");
}
- $this->exec('convert', '"'.$image_fullpath.'"[0] "'.$this->image_temp.'"');
+ $this->exec('convert', "'".$image_fullpath."'[0] '".$this->image_temp."'");
return $this;
}
protected function _crop($x1, $y1, $x2, $y2)
{
extract(parent::_crop($x1, $y1, $x2, $y2));
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$this->exec('convert', $image.' -crop '.($x2 - $x1).'x'.($y2 - $y1).'+'.$x1.'+'.$y1.' +repage '.$image);
$this->clear_sizes();
}
@@ -63,7 +63,7 @@ protected function _resize($width, $height = null, $keepar = true, $pad = true)
{
extract(parent::_resize($width, $height, $keepar, $pad));
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$this->exec('convert', "-define png:size=".$cwidth."x".$cheight." ".$image." ".
"-background none ".
"-resize \"".($pad ? $width : $cwidth)."x".($pad ? $height : $cheight)."!\" ".
@@ -76,7 +76,7 @@ protected function _rotate($degrees)
{
extract(parent::_rotate($degrees));
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$this->exec('convert', $image." -background none -virtual-pixel background +distort ScaleRotateTranslate ".$degrees." +repage ".$image);
$this->clear_sizes();
@@ -100,7 +100,7 @@ protected function _flip($direction)
default: return false;
}
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$this->exec('convert', $image.' '.$arg.' '.$image);
}
@@ -116,7 +116,7 @@ protected function _watermark($filename, $position, $padding = array(5,5))
$x >= 0 and $x = '+'.$x;
$y >= 0 and $y = '+'.$y;
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$this->exec(
'composite',
'-compose atop -geometry '.$x.$y.' '.
@@ -129,7 +129,7 @@ protected function _border($size, $color = null)
{
extract(parent::_border($size, $color));
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$color = $this->create_color($color, 100);
$command = $image.' -compose copy -bordercolor '.$color.' -border '.$size.'x'.$size.' '.$image;
$this->exec('convert', $command);
@@ -141,8 +141,8 @@ protected function _mask($maskimage)
{
extract(parent::_mask($maskimage));
- $mimage = '"'.$maskimage.'"';
- $image = '"'.$this->image_temp.'"';
+ $mimage = "'".$maskimage."'";
+ $image = "'".$this->image_temp."'";
$command = $image.' '.$mimage.' +matte -compose copy-opacity -composite '.$image;
$this->exec('convert', $command);
}
@@ -158,7 +158,7 @@ protected function _rounded($radius, $sides, $antialias = 0)
{
extract(parent::_rounded($radius, $sides, null));
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$r = $radius;
$command = $image." \\( +clone -alpha extract ".
( ! $tr ? '' : "-draw \"fill black polygon 0,0 0,$r $r,0 fill white circle $r,$r $r,0\" ")."-flip ".
@@ -171,7 +171,7 @@ protected function _rounded($radius, $sides, $antialias = 0)
protected function _grayscale()
{
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$this->exec('convert', $image." -colorspace Gray ".$image);
}
@@ -188,7 +188,7 @@ public function sizes($filename = null, $usecache = true)
$filename = $this->image_temp;
}
- $output = $this->exec('identify', '-format "%w %h" "'.$filename.'"[0]');
+ $output = $this->exec('identify', "-format '%w %h' '".$filename."'[0]");
list($width, $height) = explode(" ", $output[0]);
$return = (object) array(
'width' => $width,
@@ -217,12 +217,12 @@ public function save($filename = null, $permissions = null)
$this->add_background();
$filetype = $this->image_extension;
- $old = '"'.$this->image_temp.'"';
- $new = '"'.$filename.'"';
+ $old = "'".$this->image_temp."'";
+ $new = "'".$filename."'";
if(($filetype == 'jpeg' or $filetype == 'jpg') and $this->config['quality'] != 100)
{
- $quality = '"'.$this->config['quality'].'%"';
+ $quality = "'".$this->config['quality']."%'";
$this->exec('convert', $old.' -quality '.$quality.' '.$new);
}
else
@@ -245,11 +245,11 @@ public function output($filetype = null)
$this->run_queue();
$this->add_background();
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
if(($filetype == 'jpeg' or $filetype == 'jpg') and $this->config['quality'] != 100)
{
- $quality = '"'.$this->config['quality'].'%"';
+ $quality = "'".$this->config['quality']."%'";
$this->exec('convert', $image.' -quality '.$quality.' '.strtolower($filetype).':-', true);
}
elseif (substr($this->image_temp, -1 * strlen($filetype)) != $filetype)
@@ -288,7 +288,7 @@ protected function add_background()
if ($this->config['bgcolor'] != null)
{
$bgcolor = $this->config['bgcolor'] == null ? '#000' : $this->config['bgcolor'];
- $image = '"'.$this->image_temp.'"';
+ $image = "'".$this->image_temp."'";
$color = $this->create_color($bgcolor, 100);
$sizes = $this->sizes();
$command = '-size '.$sizes->width.'x'.$sizes->height.' '.'canvas:'.$color.' '.

0 comments on commit 95c134e

Please sign in to comment.