How do I pass user-input filenames to ImageMagick safely?

Question

I am generating an ImageMagick bash command using Python. Something like

import subprocess

input_file = "hello.png"
output_file = "world.jpg"

subprocess.run(["convert", input_file, output_file])

where there might be more arguments before input_file or output_file. My question is, if either of the filenames is user provided and the user provides a filename that can be parsed as a command line option for ImageMagick, isn't that unsafe?

Answer 1

From the man page (and a few tests), convert requires an input file and an output file. If you only allow two tokens and if a file name is interpreted as an option then convert is going to miss at least one of the files, so you'll get an ugly message but you should be fine.

Otherwise you can prefix any file name that starts with - with ./ (except - itself, which is stdin or stdout depending on position), so that it becomes an unambiguous file path to the same file.

Answer 2

If the filename starts with a dash, ImageMagick indeed could think that this is an option instead of a filename. Most programs - including AFIK the ImageMagick command line tools - follow the convention that a double-dash (--) denotes the end of the options. If you do a

subprocess.run(["convert", "--", input_file, output_file])

you should be safe in this respect.