Page 1 of 1
EXEC or Imagick? - Safer and Faster
Posted: 2016-06-17T17:43:06-07:00
by agriz
I was searching about Imagick and Exec.
Many people say that exec is not secured and should not be used.
On the other hand, Does Imagick have all the options which can be directly run with EXEC?
Re: EXEC or Imagick? - Safer and Faster
Posted: 2016-06-17T18:47:04-07:00
by fmw42
Imagick currently is missing quite a few newer features of Imagemagick and a few older features.
Re: EXEC or Imagick? - Safer and Faster
Posted: 2016-06-17T19:16:08-07:00
by agriz
Can you tell me how to safely use exec with php?
I read the following in internet
You cannot limit PHP exec function's commands to be executed. Also even if you do some string checking for exec to have "convert" command, I'll be able to execute my command like this:
Code: Select all
"convert img.jpg img.png ; id ; ls -al ; wget ....."
So it's not a solution.
Re: EXEC or Imagick? - Safer and Faster
Posted: 2016-06-17T20:48:59-07:00
by fmw42
Sorry, I do not know. If you have control of the exec command, how will those other commands get into your command. Presumably, you are only letting some user provide images to the commands and I assume you check the validity of the images before you run the exec via built in PHP. So I do not see the issue. If no one but you runs the PHP exec, then you have full control and those other commands will not get into it. But I do not use PHP exec that often, so am not an expert on that.
If you are still concerned, then just use Imagick. It probably has 95% of the functionality of Imagemagick.
Re: EXEC or Imagick? - Safer and Faster
Posted: 2016-06-18T01:28:29-07:00
by Bonzo
I use Imagemagick with exec() as I find Imagick a pain. I suppose if I spent some time learning it that would not be a problem.
You should validate any use input with both Imagemagick and Imagick You can carry out some security features to prevent bad code being run via exec()
I did some tests a few years ago and in some cases Imagick is faster than Imagemagick but sometimes its is the other way around.
It is easier to build a complicated command in Imagemagick
As said Imagick does not have all the options IM does
Imagick is not well supported and can be hard to install.
Imagick supposedly has some extra security built in.
All in all for speed you should do some tests using your actual commands and images. Security you should have a look around and see what is recommended for file uploads. For a start:
Check the file is an image file
Rename and move the file during upload
Prevent php being run in the same folder as the uploaded file
When it comes down to it if somebody wanted to hack your server there are probably other ways than just exec()
Re: EXEC or Imagick? - Safer and Faster
Posted: 2016-06-18T01:35:15-07:00
by agriz
Thanks for advises
