[ci skip] Escape image paths passed as shell arguments to imagemagick

1 files changed, 8 insertions, 7 deletions

diff --git a/system/libraries/Image_lib.php b/system/libraries/Image_lib.php
index edd13372d..24fe8c68d 100644
--- a/system/libraries/Image_lib.php
+++ b/system/libraries/Image_lib.php
@@ -866,27 +866,28 @@ class CI_Image_lib {
 
 		if ($action === 'crop')
 		{
-			$cmd .= ' -crop '.$this->width.'x'.$this->height.'+'.$this->x_axis.'+'.$this->y_axis.' "'.$this->full_src_path.'" "'.$this->full_dst_path .'" 2>&1';
+			$cmd .= ' -crop '.$this->width.'x'.$this->height.'+'.$this->x_axis.'+'.$this->y_axis;
 		}
 		elseif ($action === 'rotate')
 		{
-			$angle = ($this->rotation_angle === 'hor' OR $this->rotation_angle === 'vrt')
-					? '-flop' : '-rotate '.$this->rotation_angle;
-
-			$cmd .= ' '.$angle.' "'.$this->full_src_path.'" "'.$this->full_dst_path.'" 2>&1';
+			$cmd .= ($this->rotation_angle === 'hor' OR $this->rotation_angle === 'vrt')
+					? ' -flop'
+					: ' -rotate '.$this->rotation_angle;
 		}
 		else // Resize
 		{
 			if($this->maintain_ratio === TRUE)
 			{
-				$cmd .= ' -resize '.$this->width.'x'.$this->height.' "'.$this->full_src_path.'" "'.$this->full_dst_path.'" 2>&1';
+				$cmd .= ' -resize '.$this->width.'x'.$this->height;
 			}
 			else
 			{
-				$cmd .= ' -resize '.$this->width.'x'.$this->height.'\! "'.$this->full_src_path.'" "'.$this->full_dst_path.'" 2>&1';
+				$cmd .= ' -resize '.$this->width.'x'.$this->height.'\!';
 			}
 		}
 
+		$cmd .= ' "'.escapeshellarg($this->full_src_path).'" "'.escapeshellarg($this->full_dst_path).'" 2>&1';
+
 		$retval = 1;
 		// exec() might be disabled
 		if (function_usable('exec'))