Re: [PHP] securing a script that exec()s
On Sat, Mar 31, 2012 at 1:37 AM, rene7705 wrote: > escapeshellcmd() seems simplest. It might be if all you care about are shell meta characters, and admittedly it will save you from someone entering "& rm -rf / &" in your input field. But dealing with generic user input, even escaped, can still be problematic. Say you want to let the user set the size of the output file, and the user enters a bunch of letters instead of a geometry. Do you really want to have to deal with all the possible ramifications of such GIGO stuff? Better to vet the data, untaint it, and deal with it that way. When you've gone to all that, you're almost all the way to where you need to be to use the library functions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 7:05 AM, David OBrien wrote: > Find a way to do it using PHP's imagemagick extensions > > http://php.net/manual/en/book.imagick.php > > On Fri, Mar 30, 2012 at 5:56 AM, rene7705 wrote: > >> Hi. >> >> I have a script that uses imagemagick's convert command on the commandline >> to get it's work done. >> These calls to exec('convert [params]') take params from the end-user via a >> html form, so is very unsecure. >> >> The intention is that the end-user only runs this script on localhost, from >> localhost. >> >> So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to >> see if I can allow the script to be used. >> >> But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and >> $_SERVER['SERVER_ADDR'] is my internal IP. >> >> How would I best fix this? >> I, too, would suggest you use the PHP extensions rather than shell out a command for various reasons, security being possibly the highest. There is also the cost of another process on the box, and doing the translation in and out. And David, please bottom post responses. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
On Mar 30, 2012, at 9:25 AM, rene7705 wrote: > On Fri, Mar 30, 2012 at 3:16 PM, Peter Bauer wrote: > >> On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: >>> ... >>> But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and >>> $_SERVER['SERVER_ADDR'] is my internal IP. >>> >>> How would I best fix this? >> >> Simply log on your box via ssh (if its a unix system) and run your script >> from console or with textmode browser lynx. >> >> But the best solution would be to secure the exec call. >> >> How would I best secure the exec call? What would the form input look like? Mike Mackintosh PHP, the drug of choice - www.highonphp.com
Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 3:16 PM, Peter Bauer wrote: > On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: > > ... > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > > $_SERVER['SERVER_ADDR'] is my internal IP. > > > > How would I best fix this? > > Simply log on your box via ssh (if its a unix system) and run your script > from console or with textmode browser lynx. > > But the best solution would be to secure the exec call. > > How would I best secure the exec call?
Re: [PHP] securing a script that exec()s
Sender: dgobr...@gmail.com Subject: Re: [PHP] securing a script that exec()s Message-Id: Recipient: adam.nicho...@hl.co.uk __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __--- Begin Message --- Find a way to do it using PHP's imagemagick extensions http://php.net/manual/en/book.imagick.php On Fri, Mar 30, 2012 at 5:56 AM, rene7705 wrote: > Hi. > > I have a script that uses imagemagick's convert command on the commandline > to get it's work done. > These calls to exec('convert [params]') take params from the end-user via a > html form, so is very unsecure. > > The intention is that the end-user only runs this script on localhost, from > localhost. > > So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to > see if I can allow the script to be used. > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? > --- End Message --- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: > ... > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? Simply log on your box via ssh (if its a unix system) and run your script from console or with textmode browser lynx. But the best solution would be to secure the exec call. -- Regards, Peter Bauer PHP developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
Find a way to do it using PHP's imagemagick extensions http://php.net/manual/en/book.imagick.php On Fri, Mar 30, 2012 at 5:56 AM, rene7705 wrote: > Hi. > > I have a script that uses imagemagick's convert command on the commandline > to get it's work done. > These calls to exec('convert [params]') take params from the end-user via a > html form, so is very unsecure. > > The intention is that the end-user only runs this script on localhost, from > localhost. > > So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to > see if I can allow the script to be used. > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? >
Re: [PHP] securing a script that exec()s
Bastien Koert On 2012-03-30, at 5:56 AM, rene7705 wrote: > Hi. > > I have a script that uses imagemagick's convert command on the commandline > to get it's work done. > These calls to exec('convert [params]') take params from the end-user via a > html form, so is very unsecure. > > The intention is that the end-user only runs this script on localhost, from > localhost. > > So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to > see if I can allow the script to be used. > > But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and > $_SERVER['SERVER_ADDR'] is my internal IP. > > How would I best fix this? Validate the data? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] securing a script that exec()s
Hi. I have a script that uses imagemagick's convert command on the commandline to get it's work done. These calls to exec('convert [params]') take params from the end-user via a html form, so is very unsecure. The intention is that the end-user only runs this script on localhost, from localhost. So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to see if I can allow the script to be used. But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and $_SERVER['SERVER_ADDR'] is my internal IP. How would I best fix this?