Hi Chris,
Thanks for your helpful input. Some follow-up from me:
csnyder wrote:
Allen Shaw wrote:
> Can anyone here comment on the wisdom of relying on
> escapeshellcmd() in a situation like this? ...
First, escapeshellarg() is more specific, and therefore *possibly*
safer. Rather than escaping the whole thing, just escape the user
input.
In my case, I'm passing multiple arguments, but I'm now regexing them
apart into separate arguments, so escapeshellarg() does work. For
forward compat with the wrapped shell script, I'm hoping to avoid
checking for valid arguments and instead just escaping each argument and
letting the shell script do its own checking.
Second, it would be MUCH safer to determine an acceptable range of
possibilities for the user input... In your case you want to pass
arbitrary strings, so validation becomes more difficult. You could
still validate the input so that it only contains printable ascii and
simple punctuation, no unprintable characters or newlines or any of
that.
Okay, good thought. For this I'll remove the first 32 non-printing ASCII
chars, and DEL:
<?
$user_input = preg_replace('/[\000-\037\127]/', '', $user_input);
?>
If I'm thinking straight, the above will strip most obviously useless
chars but still allow lots of chars (e.g. i18n stuff) that I'll never be
able to whitelist.
Thanks again for your input.
- Allen
--
Allen Shaw, UPF Data Services
[email protected] | 914.826.4622 | http://www.upf.org
--
Allen Shaw
slidePresenter (http://slides.sourceforge.net)
_______________________________________________
New York PHP User Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
http://www.nyphp.org/show_participation.php
