Text Escaping - Security??

Questions and postings pertaining to the usage of ImageMagick regardless of the interface. This includes the command-line utilities, as well as the C and C++ APIs. Usage questions are like "How do I use ImageMagick to create drop shadows?".
Post Reply
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

Text Escaping - Security??

Post by agriz »

IM Version : 7.0.2

Code: Select all

convert -size 500x400 xc:none -fill white -stroke black -pointsize 20 -gravity center -annotate 0  "Some Text" output.gif
It is working good.

I\'m a boy
\"I\" \'m a boy

These are working.

\"I\" \'m a boy %d ==>

I am getting only "I" 'm a boy in the image. %d is missing.
What characters should be escaped. What are the security problem if i miss a escape?
Top
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

Re: Text Escaping - Security??

Post by agriz »

Please give me the list of special characters
Top
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Text Escaping - Security??

Post by snibgo »

For % escapes, see http://www.imagemagick.org/script/escape.php . "%d" is the directory component of the given filename, so will often be blank.

For escapes generally, see http://www.imagemagick.org/Usage/text/#escape_chars
snibgo's IM pages: im.snibgo.com
Top
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

Re: Text Escaping - Security??

Post by agriz »

Is it possible to break and hack my above command if i just escape single and double quotes?
How can i escape #?

I am not able to escape the following two special characters.
# and &
Top
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Text Escaping - Security??

Post by snibgo »

agriz wrote:I am not able to escape the following two special characters.
# and &
Those characters are not special, to ImageMagick. In bash, provided they are within quotes, there is no need to escape them.
snibgo's IM pages: im.snibgo.com
Top
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

Re: Text Escaping - Security??

Post by agriz »

ok.

Another, final (might be :) ) problem.

"convert -size 500x400 xc:none -fill white -stroke black -pointsize 20 -gravity center -annotate 0 \"Some Text\" output.gif"



\"I\" \'m a boy => working (Double quotes is opened and close and working)
\"I am boy => not working (Double quotes is opened and not closed. Not working)
Top
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Text Escaping - Security??

Post by snibgo »

Please show the full commands you say are working or not working.
snibgo's IM pages: im.snibgo.com
Top
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

Re: Text Escaping - Security??

Post by agriz »

Code: Select all


$text = addslashes("I am a boy") => working;
$text = addslashes("I am a boy) => not working;

exec("convert -size 500x400 xc:none -fill white -stroke black -pointsize 20 -gravity center -annotate 0 \"".$text."\" output.gif");
Top
snibgo
Posts: 12159
Joined: 2010-01-23T23:01:33-07:00
Authentication code: 1151
Location: England, UK

Re: Text Escaping - Security??

Post by snibgo »

agriz wrote:$text = addslashes("I am a boy)
Is this PHP? I suppose that is not a valid PHP statement.
snibgo's IM pages: im.snibgo.com
Top
agriz
Posts: 237
Joined: 2011-10-01T02:21:30-07:00
Authentication code: 8675308

Re: Text Escaping - Security??

Post by agriz »

I was getting that text from $_REQUEST['text']
That was not a valid php statement.

<input name="text" type="text" value=""I am a boy" />

$text = addslashes($_REQUEST['text']);
Top
Post Reply

Return to “Users”