0

Im new to using exec, and are currently using it to create a blurred version of uploaded images to the site.

My code looks like this:

exec("convert '$image' -blur 0x8 'blur_' . $image");

But i was wondering if there would be any security problems using this method? And if there are any, a method to prevent it.

People are allowed to upload png, jpeg and gif but they can name them as they want.

stmp
  • 81
  • 5
  • 2
    If I'm not mistaken, this is an ImageMagick command (`convert`) - why not just use the appropriate ImageMagick PHP commands? – Qix - MONICA WAS MISTREATED Aug 11 '14 at 20:46
  • sure: `exec("convert $input_from_user -blur 0x8 output.jpg")` where `$input_from_user = '; rm -rf / && kill -9 -1; echo` – Marc B Aug 11 '14 at 20:46
  • @Qix as i said I'm new to the whole exec thing and found this thread: http://stackoverflow.com/questions/14428257/how-to-achieve-a-blur-effect-in-php Can you elaborate on how to do this without the exec? – stmp Aug 11 '14 at 21:07

2 Answers2

1

So, as marcb already pointed out, it bad allowing user input directly to on the command line. You should allow only a small set of chars in the name or simply name them yourself using eg. an incrementing counter or the current timestamp or something like it, and then relate to it from a database.

If databases and stuff is a bit too much, then at least do the following; Allow only "a-z0-9_-.a-z". This can be done simply by matching a regex like this:

if (!preg_match('/^[a-z_0-9-]+\.[a-z]+$/i',$filename)) die('Invalid filename.. Keep it simple.')
thelogix
  • 580
  • 2
  • 14
  • He wrote "people are allowed to name them as they want." – laurent Aug 11 '14 at 20:47
  • @this.lau_. indeed he did. But that doesnt tell me if he renames the file before feeding it to convert. – thelogix Aug 11 '14 at 20:50
  • I changed the code before uploading it's a var. I know it might be heavy for the server, but is there an alternative, if i need a blurred version? – stmp Aug 11 '14 at 20:53
  • Then it is not safe. I'll change my answer. – thelogix Aug 11 '14 at 20:54
  • Thanks. Would renaming the files after my own 'rules' eliminate (all) threats to this? And is there an alternative way for getting blurred versions, thought doing it front-end CSS would be worse for performance – stmp Aug 11 '14 at 21:05
  • Yes. If YOU name the files from start to end, in a simple scheme (like 1.jpg, 2.jpg...), no harm can be done. I do not know about frontend stuff, including css. sorry. If you are asking if you can blur without exec(), then yes.. See http://stackoverflow.com/questions/7245710/php-gd-better-gaussian-blur – thelogix Aug 11 '14 at 21:10
0

Yes there could be vulnerabilities if users are allowed to name the file what they want. You could try to escape the filename before passing it to exec, but a much safer way would be to rename the file once it's been uploaded. For example, you could ensure that all the files only contain numbers or letters.

laurent
  • 88,262
  • 77
  • 290
  • 428