Re: Parsing a convert command for input to shell (blockin inject
Posted: 2007-08-13T17:59:01-07:00
In a word... Don't.
IM can have a number of nasty things that could like users do thinks you may not wnat them to do.. for example
however you can allow them access to specific options, so you can control the and restrict exactly what arguments the user can use. Quite a number of web applications do that type of thing already. Just may sure, numbers are number and strings are strings.
For one example see http://interactimage.com/
HINT; in label: and caption: you can feed the string to IM as a stream of characters using '@-' or '@filename'. IM will treat such file inputs as literal and NOT allow any special escaping. This was provided specifically for this reason.
IM can have a number of nasty things that could like users do thinks you may not wnat them to do.. for example
Code: Select all
convert text:/etc/passwd image.gifFor one example see http://interactimage.com/
HINT; in label: and caption: you can feed the string to IM as a stream of characters using '@-' or '@filename'. IM will treat such file inputs as literal and NOT allow any special escaping. This was provided specifically for this reason.