Open spixi opened 7 years ago
That's true, the command handling is not very safe.
What happens now, when there is an error with processing, like missing Imagemagick version, disk full etc? Does that error get somehow passed upon?
I think the best way would be, to use a full-blown command wrapper, like popen3 to capture stdout/sterr independently though
Copying stderr into the output file may cause invalid files and also expose information about the server. stderr must not be copied into the output file. See here for an invalid jpg which was generated by simple-captcha. After removing the trailing payload up the the JFIF magic string, the file is actually a valid jpeg containing a working captcha. https://gist.github.com/spixi/fccdd98e51336e0e9230b2a2741dac56