Parsing a convert command for input to shell (blockin inject

Questions and postings pertaining to the usage of ImageMagick regardless of the interface. This includes the command-line utilities, as well as the C and C++ APIs. Usage questions are like "How do I use ImageMagick to create drop shadows?".
Post Reply
User avatar
anthony
Posts: 8883
Joined: 2004-05-31T19:27:03-07:00
Authentication code: 8675308
Location: Brisbane, Australia

Re: Parsing a convert command for input to shell (blockin inject

Post by anthony »

In a word... Don't.
IM can have a number of nasty things that could like users do thinks you may not wnat them to do.. for example

Code: Select all

    convert text:/etc/passwd  image.gif
however you can allow them access to specific options, so you can control the and restrict exactly what arguments the user can use. Quite a number of web applications do that type of thing already. Just may sure, numbers are number and strings are strings.

For one example see http://interactimage.com/

HINT; in label: and caption: you can feed the string to IM as a stream of characters using '@-' or '@filename'. IM will treat such file inputs as literal and NOT allow any special escaping. This was provided specifically for this reason.
Anthony Thyssen -- Webmaster for ImageMagick Example Pages
https://imagemagick.org/Usage/
Top
Post Reply

Return to “Users”