diff options
author | Andrey Andreev <narf@devilix.net> | 2016-03-22 10:31:58 +0100 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2016-03-22 10:31:58 +0100 |
commit | b3f6934cb870f2da9c9891968e6f4d98effa741e (patch) | |
tree | a5b73d5949a1fa67f9cf3749b7b032efcb020ae2 /system/libraries/Image_lib.php | |
parent | eac4adfc24d1ad60af2bc3e08222ee7e5858f638 (diff) |
[ci skip] Escape image paths passed as shell arguments to imagemagick
Diffstat (limited to 'system/libraries/Image_lib.php')
-rw-r--r-- | system/libraries/Image_lib.php | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/system/libraries/Image_lib.php b/system/libraries/Image_lib.php index edd13372d..24fe8c68d 100644 --- a/system/libraries/Image_lib.php +++ b/system/libraries/Image_lib.php @@ -866,27 +866,28 @@ class CI_Image_lib { if ($action === 'crop') { - $cmd .= ' -crop '.$this->width.'x'.$this->height.'+'.$this->x_axis.'+'.$this->y_axis.' "'.$this->full_src_path.'" "'.$this->full_dst_path .'" 2>&1'; + $cmd .= ' -crop '.$this->width.'x'.$this->height.'+'.$this->x_axis.'+'.$this->y_axis; } elseif ($action === 'rotate') { - $angle = ($this->rotation_angle === 'hor' OR $this->rotation_angle === 'vrt') - ? '-flop' : '-rotate '.$this->rotation_angle; - - $cmd .= ' '.$angle.' "'.$this->full_src_path.'" "'.$this->full_dst_path.'" 2>&1'; + $cmd .= ($this->rotation_angle === 'hor' OR $this->rotation_angle === 'vrt') + ? ' -flop' + : ' -rotate '.$this->rotation_angle; } else // Resize { if($this->maintain_ratio === TRUE) { - $cmd .= ' -resize '.$this->width.'x'.$this->height.' "'.$this->full_src_path.'" "'.$this->full_dst_path.'" 2>&1'; + $cmd .= ' -resize '.$this->width.'x'.$this->height; } else { - $cmd .= ' -resize '.$this->width.'x'.$this->height.'\! "'.$this->full_src_path.'" "'.$this->full_dst_path.'" 2>&1'; + $cmd .= ' -resize '.$this->width.'x'.$this->height.'\!'; } } + $cmd .= ' "'.escapeshellarg($this->full_src_path).'" "'.escapeshellarg($this->full_dst_path).'" 2>&1'; + $retval = 1; // exec() might be disabled if (function_usable('exec')) |