[ic] Bugfix for image.tag

Josh Lavin josh at perusion.net
Tue Mar 15 15:46:49 UTC 2011


On 03/15/2011 10:28 AM, Jon Jensen wrote:
> On Tue, 15 Mar 2011, Josh Lavin wrote:
>
>>> Remove bad characters from directory names in image.tag, quote
>>> geometry option
>>>
>>> Problem found when using:
>>> [image src="foo.gif" makesize="200x500>"]
>>>
>>> https://github.com/jlavin/interchange/commit/4fd3e7521470f737b014267cc7dd20ae25bd6a1f
>>>
>>
>> I found another instance of the "bad characters in directory names",
>> so here is an additional commit:
>>
>> https://github.com/jlavin/interchange/commit/dd41ce1962b9e25e5d23e9f020630c94b15e3fc0
>>
>
> Josh,
>
> I'm curious how you arrived at your set of "bad characters" here:
>
> s:[@!%><]::g
>
> What is wrong with @ or % in filenames?

Dear Jon,

These are the characters that are allowed as modifiers to the "makesize" 
parameter. The "makesize" option is then used as the directory name, 
e.g.: /images/200x500/foo.jpg".

Quote:
"The value is specified as AxB, A or xB, followed by up to two +- offset 
specifications, followed by none or one of %@!<>. For a complete syntax, 
see mogrify -geometry parameter."

I only listed those particular modifiers that the -geometry parameter 
would use. While I excluded all of the modifiers, I'm not sure if any 
characters other than "<" and ">" would cause problems as a directory name.

Feel free to make it better. :-)

Thanks,
Josh

>
> And on the other hand, & ` $ ~ ( ) { } ' " ? * \ ; | aren't removed but
> are active troublesome shell metacharacters. (And there may be others.)
>
> It might be best if we leverage a CPAN module where someone has already
> solved this problem better than we will. A brief search turned up:
>
> http://kobesearch.cpan.org/htdocs/String-ShellQuote/String/ShellQuote.pm.html
>
>
> which seems to quote everything but a whitelisted set of valid
> characters, which is a safer approach to security functions like this.
>
> We could just copy the String::ShellQuote regex if we don't want to add
> another dependency.
>
> What do you think?
>
> Jon
>


-- 
Josh Lavin
Perusion -- Expert Interchange Consulting    http://www.perusion.com/



More information about the interchange-users mailing list