Bug #60116 [PATCH]: escapeshellcmd() cannot escape the chars which causes shell injection.

Sun, 23 Oct 2011 04:17:40 -0700 

Edit report at https://bugs.php.net/bug.php?id=60116&edit=1

 ID:                 60116
 Patch added by:     hirok...@php.net
 Reported by:        hirok...@php.net
 Summary:            escapeshellcmd() cannot escape the chars which
                     causes shell injection.
 Status:             Open
 Type:               Bug
 Package:            Filter related
 Operating System:   Ubuntu Linux
 PHP Version:        trunk-SVN-2011-10-23 (SVN)
 Block user comment: N
 Private report:     N

 New Comment:

The following patch has been added/updated:

Patch Name: php-escape.patch
Revision:   1319368645
URL:        
https://bugs.php.net/patch-display.php?bug=60116&patch=php-escape.patch&revision=1319368645


Previous Comments:
------------------------------------------------------------------------
[2011-10-23 11:16:45] hirok...@php.net

Description:
------------
escapeshellcmd() escapes " and ' only if it isn't paired (it is documented in 
the PHP manual). 

For the test script to look for some keyword in the files of the specified 
directory (/var/data/), the double quotation in the user input as shown below 
cannot be escaped because it is paired (it is found by Mr. Tokumaru).

$_GET['key'] = ':" "/etc/passwd';

The command line will be,

grep ":" "/etc/passwd" /var/data/*

The content of arbitrary file such as /etc/passwd will be shown.

The attached patch (made by Mr. Ohgaki, slightly modified be me) will add an 
option flag for escapeshellcmd().
The recommended code to escape the quotation in this case will be,

$key = escapeshellcmd($_GET['key'], ESCAPE_CMD_ALL);

output: grep ":\" \"/etc/passwd" /var/data/*

The option flag has the three different value.
There is no backward incompatibility because the default behavior 
(ESCAPE_CMD_PAIR) is unchanged.

ESCAPE_CMD_PAIR : escape if it is not paired (default)
ESCAPE_CMD_END  : escape except for end/beginning of the string
ESCAPE_CMD_ALL  : escape without exception (recommended)

In Windows, the quotation is always escaped, but, in other environment,
it is only escaped if it is not paired.

It is highly recommended to apply this patch to prevent the possible shell 
command injection attack.









Test script:
---------------
<?php
$_GET['key'] = ':" "/etc/passwd'; // sample input
$key = escapeshellcmd($_GET['key']);
$cmd = "grep \"$key\" /var/data/*";
echo $cmd,PHP_EOL;
system($cmd);
?>

Expected result:
----------------
grep ":\" \"/etc/passwd" /var/data/*


Actual result:
--------------
grep ":" "/etc/passwd" /var/data/*
[content of /etc/passwd]




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60116&edit=1

Reply via email to