SECURITY: No validation of filename or options leads to shell command execution

[dgtlmoon]

SECURITY EXPLOIT POSSIBLE: No validation of filename leads to shell command execution

# input_image: input image(.jpeg, .pnp ....)
# output_image: output image .webp
# option: options and quality,it should be given between 0 to 100
def cwebp(input_image, output_image, option):
    cmd = getcwebp() + ' ' + option + ' ' + input_image + ' -o ' + output_image
    p = subprocess.Popen(cmd, shell=True, stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    (stdout, stderr) = p.communicate()
    result = {'exit_code': p.returncode, 'stdout': stdout, 'stderr': stderr, 'command': cmd}
    return result

    r = webp.cwebp(";bar", 'foo', ";cat /etc/passwd")
    print (r)

Now I can see something I shouldnt, and/or run commands on the host. If someone is calling webp on some input from a form or DB row then there is room for exploitation.

• Warn the user in the README.md
• SANITIZE what you can (the options for example)
• VALIDATE that the file exists

How did I find this? I noticed that filenames with spaces in them were not being handled correctly, then I assumed that you were just wrapping an existing program..

[dgtlmoon]

Just use the webp project instead...

def image_to_webp(src, dest):
    import webp
    import io
    from PIL import Image

    # @todo Maybe there's a better way to load this as a stream instead of into RAM, tho my images are all small.
    with open(src, "rb") as r:
        rb = r.read()
        o = Image.open(io.BytesIO(rb))
        r.close()

    pic = webp.WebPPicture.from_pil(o)
    config = webp.WebPConfig.new(preset=webp.WebPPreset.PICTURE, quality=90)
    buf = pic.encode(config).buffer()

    with open(dest, 'wb') as f:
        f.write(buf)
        f.close()