EXEC or Imagick? - Safer and Faster

IMagick is a native PHP extension to create and modify images using the ImageMagick API. ImageMagick Studio LLC did not write nor does it maintain the IMagick extension, however, IMagick users are welcome to discuss the extension here.
Post Reply
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

EXEC or Imagick? - Safer and Faster

Post by agriz »

I was searching about Imagick and Exec.

Many people say that exec is not secured and should not be used.
On the other hand, Does Imagick have all the options which can be directly run with EXEC?
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: EXEC or Imagick? - Safer and Faster

Post by fmw42 »

Imagick currently is missing quite a few newer features of Imagemagick and a few older features.
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

Re: EXEC or Imagick? - Safer and Faster

Post by agriz »

Can you tell me how to safely use exec with php?

I read the following in internet
You cannot limit PHP exec function's commands to be executed. Also even if you do some string checking for exec to have "convert" command, I'll be able to execute my command like this:

Code: Select all

"convert img.jpg img.png ; id ; ls -al ; wget ....."
So it's not a solution.
User avatar
fmw42
Posts: 25562
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: EXEC or Imagick? - Safer and Faster

Post by fmw42 »

Sorry, I do not know. If you have control of the exec command, how will those other commands get into your command. Presumably, you are only letting some user provide images to the commands and I assume you check the validity of the images before you run the exec via built in PHP. So I do not see the issue. If no one but you runs the PHP exec, then you have full control and those other commands will not get into it. But I do not use PHP exec that often, so am not an expert on that.

If you are still concerned, then just use Imagick. It probably has 95% of the functionality of Imagemagick.
Bonzo
Posts: 2971
Joined: 2006-05-20T08:08:19-07:00
Location: Cambridge, England

Re: EXEC or Imagick? - Safer and Faster

Post by Bonzo »

I use Imagemagick with exec() as I find Imagick a pain. I suppose if I spent some time learning it that would not be a problem.

You should validate any use input with both Imagemagick and Imagick You can carry out some security features to prevent bad code being run via exec()

I did some tests a few years ago and in some cases Imagick is faster than Imagemagick but sometimes its is the other way around.

It is easier to build a complicated command in Imagemagick

As said Imagick does not have all the options IM does

Imagick is not well supported and can be hard to install.

Imagick supposedly has some extra security built in.

All in all for speed you should do some tests using your actual commands and images. Security you should have a look around and see what is recommended for file uploads. For a start:
Check the file is an image file
Rename and move the file during upload
Prevent php being run in the same folder as the uploaded file

When it comes down to it if somebody wanted to hack your server there are probably other ways than just exec()
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

Re: EXEC or Imagick? - Safer and Faster

Post by agriz »

Thanks for advises :)
Post Reply