[ic] Bugfix for image.tag
Josh Lavin
josh at perusion.net
Tue Mar 15 15:46:49 UTC 2011
On 03/15/2011 10:28 AM, Jon Jensen wrote:
> On Tue, 15 Mar 2011, Josh Lavin wrote:
>
>>> Remove bad characters from directory names in image.tag, quote
>>> geometry option
>>>
>>> Problem found when using:
>>> [image src="foo.gif" makesize="200x500>"]
>>>
>>> https://github.com/jlavin/interchange/commit/4fd3e7521470f737b014267cc7dd20ae25bd6a1f
>>>
>>
>> I found another instance of the "bad characters in directory names",
>> so here is an additional commit:
>>
>> https://github.com/jlavin/interchange/commit/dd41ce1962b9e25e5d23e9f020630c94b15e3fc0
>>
>
> Josh,
>
> I'm curious how you arrived at your set of "bad characters" here:
>
> s:[@!%><]::g
>
> What is wrong with @ or % in filenames?
Dear Jon,
These are the characters that are allowed as modifiers to the "makesize"
parameter. The "makesize" option is then used as the directory name,
e.g.: /images/200x500/foo.jpg".
Quote:
"The value is specified as AxB, A or xB, followed by up to two +- offset
specifications, followed by none or one of %@!<>. For a complete syntax,
see mogrify -geometry parameter."
I only listed those particular modifiers that the -geometry parameter
would use. While I excluded all of the modifiers, I'm not sure if any
characters other than "<" and ">" would cause problems as a directory name.
Feel free to make it better. :-)
Thanks,
Josh
>
> And on the other hand, & ` $ ~ ( ) { } ' " ? * \ ; | aren't removed but
> are active troublesome shell metacharacters. (And there may be others.)
>
> It might be best if we leverage a CPAN module where someone has already
> solved this problem better than we will. A brief search turned up:
>
> http://kobesearch.cpan.org/htdocs/String-ShellQuote/String/ShellQuote.pm.html
>
>
> which seems to quote everything but a whitelisted set of valid
> characters, which is a safer approach to security functions like this.
>
> We could just copy the String::ShellQuote regex if we don't want to add
> another dependency.
>
> What do you think?
>
> Jon
>
--
Josh Lavin
Perusion -- Expert Interchange Consulting http://www.perusion.com/
More information about the interchange-users
mailing list