stderr should not be copied into the output file

pludoni / simple-captcha

Rails 3+4 support now! Simple Captcha is the simplest and a robust captcha plugin. Its implementation requires adding up a single line in views and in controllers/models.

MIT License

106 stars 73 forks source link

stderr should not be copied into the output file #54

Open spixi opened 7 years ago

spixi commented 7 years ago

Copying stderr into the output file may cause invalid files and also expose information about the server. stderr must not be copied into the output file. See here for an invalid jpg which was generated by simple-captcha. After removing the trailing payload up the the JFIF magic string, the file is actually a valid jpeg containing a working captcha. https://gist.github.com/spixi/fccdd98e51336e0e9230b2a2741dac56

zealot128 commented 7 years ago

That's true, the command handling is not very safe.

What happens now, when there is an error with processing, like missing Imagemagick version, disk full etc? Does that error get somehow passed upon?

I think the best way would be, to use a full-blown command wrapper, like popen3 to capture stdout/sterr independently though