Enable php exec only for a command

Question

I need to use imagemagick's convert in a php script, so I enabled exec.

Now I don't feel safe to let exec enabled and I'd like to limit it only for "convert" command.

Is there a way to do it? Thanks a lot

Answer 1

You cannot limit commands to be executed by PHP exec function. Also even if you do some string checks for exec function to have something like "convert" in it, I'll be able to bypass it and execute arbitrary commands like this:

"convert img.jpg img.png ; id ; ls -al ; wget ....."

So it's not a solution.

Recommendations:

a) Don't enable exec, just use ImageMagick PHP extension: http://www.php.net/manual/en/book.imagick.php It's just like the command prompt, but instead its a PHP extension. You can do everything you do with command line interface of ImageMagick with this PHP extension. (Recommended)

b) Try alternatives to Imagemagick, if you want to just convert/resize images there are many PHP classes and extensions for those purposes.

c) Write your own PHP extension which will get the parameters you want to pass to convert and let the extension handle the command execution, but you need to sanitize the string and commands passed to it heavily.

d) Set file permissions properly, do not allow new file uploads via web (at least executable files), set proper permissions for files and folders, check your code for SQL injection, file inclusion attacks and all other application vulnerabilities etc. to make sure that you have a secure code and server, now if you are really confident that your server is secure, you can enable exec, but you can't restrict the commands that are going to be executed. (Not recommended)