On Fri, Jan 2, 2009 at 12:05 PM, Allen Shaw <[email protected]> wrote:
> Can anyone here comment on the wisdom of relying on escapeshellcmd() in a
> situation like this? For example:
> <?
> $script_path = '/path/to/shell/script';
> shell_exec(escapeshellcmd("$script_path {$_POST['user_input']}"));
> ?>
>
> It looks right to me, and I've confirmed that it "works," but I can't test
> to confirm it's "safe." I'd appreciate it if someone more experienced could
> tell me if this is just a Bad Idea.
>
First, escapeshellarg() is more specific, and therefore *possibly*
safer. Rather than escaping the whole thing, just escape the user
input.
Second, it would be MUCH safer to determine an acceptable range of
possibilities for the user input, or a pattern (regex or otherwise)
that it should match before being passed to the shell. In other words,
validate the input first, and then filter it when you pass it to the
shell.
In your case you want to pass arbitrary strings, so validation becomes
more difficult. You could still validate the input so that it only
contains printable ascii and simple punctuation, no unprintable
characters or newlines or any of that.
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
