Security concern regarding PHP image conversion

Question

In PHP I'm creating an svg file, injecting some elements posted from a form, converting that svg to a jpg using ImageMagick, and then finally destroying the svg leaving only the jpg version. This all works perfectly. My concern is security and what steps I can/should take to minimize my risk.

Here's the meat of my code...

//WRITE THE FILE CONTENTS INTO THE FILE
//If file already exists, it will replace it.
file_put_contents($file, $current);

//START CONVERSION PROCESS
$svg = file_get_contents($file);

$image = new Imagick();
$image->readImageBlob($svg);
$image->setCompression(Imagick::COMPRESSION_JPEG); 
$image->setCompressionQuality(60); 
$image->setImageFormat("jpg");
$image->writeImage($newFileName);
$image->clear();
$image->destroy();

//DESTROY SVG FILE 
unlink($file); 

My fears are something exploitable being inserted into my svg. If that were the case, would it survive the image conversion? What are some strategies I might employ to make this more safe/as safe as possible.

Answer 1

SVG will inherit all security risks as XML; like billion laughs & external entities to name a couple. Although most SVG delegate libraries have addressed key issues, your still responsible for protecting against XSS, and sanitizing user input.

If that were the case, would it survive the image conversion?

Usually not, as the process of re-drawing vector to raster throws out original data. However exploits targeted to stop reading SVG data would persist.

What are some strategies I might employ to make this more safe/as safe as possible.

• Validate
• Sanitize
• Enforce SSL
• Become familiar with working security practices (like PCI), and adapt.