Page 1 of 1
Text Escaping - Security??
Posted: 2016-08-31T07:23:50-07:00
by agriz
IM Version : 7.0.2
Code: Select all
convert -size 500x400 xc:none -fill white -stroke black -pointsize 20 -gravity center -annotate 0 "Some Text" output.gif
It is working good.
I\'m a boy
\"I\" \'m a boy
These are working.
\"I\" \'m a boy %d ==>
I am getting only "I" 'm a boy in the image. %d is missing.
What characters should be escaped. What are the security problem if i miss a escape?
Re: Text Escaping - Security??
Posted: 2016-08-31T08:50:12-07:00
by agriz
Please give me the list of special characters
Re: Text Escaping - Security??
Posted: 2016-08-31T12:30:50-07:00
by snibgo
For % escapes, see
http://www.imagemagick.org/script/escape.php . "%d" is the directory component of the given filename, so will often be blank.
For escapes generally, see
http://www.imagemagick.org/Usage/text/#escape_chars
Re: Text Escaping - Security??
Posted: 2016-09-01T00:22:48-07:00
by agriz
Is it possible to break and hack my above command if i just escape single and double quotes?
How can i escape #?
I am not able to escape the following two special characters.
# and &
Re: Text Escaping - Security??
Posted: 2016-09-01T07:59:52-07:00
by snibgo
agriz wrote:I am not able to escape the following two special characters.
# and &
Those characters are not special, to ImageMagick. In bash, provided they are within quotes, there is no need to escape them.
Re: Text Escaping - Security??
Posted: 2016-09-01T08:16:52-07:00
by agriz
ok.
Another, final (might be
) problem.
"convert -size 500x400 xc:none -fill white -stroke black -pointsize 20 -gravity center -annotate 0 \"Some Text\" output.gif"
\"I\" \'m a boy => working (Double quotes is opened and close and working)
\"I am boy => not working (Double quotes is opened and not closed. Not working)
Re: Text Escaping - Security??
Posted: 2016-09-01T08:38:56-07:00
by snibgo
Please show the full commands you say are working or not working.
Re: Text Escaping - Security??
Posted: 2016-09-01T08:44:52-07:00
by agriz
Code: Select all
$text = addslashes("I am a boy") => working;
$text = addslashes("I am a boy) => not working;
exec("convert -size 500x400 xc:none -fill white -stroke black -pointsize 20 -gravity center -annotate 0 \"".$text."\" output.gif");
Re: Text Escaping - Security??
Posted: 2016-09-01T09:16:20-07:00
by snibgo
agriz wrote:$text = addslashes("I am a boy)
Is this PHP? I suppose that is not a valid PHP statement.
Re: Text Escaping - Security??
Posted: 2016-09-01T18:48:39-07:00
by agriz
I was getting that text from $_REQUEST['text']
That was not a valid php statement.
<input name="text" type="text" value=""I am a boy" />
$text = addslashes($_REQUEST['text']);