0

Occasionally, I use exec(), shell_exec(), and curl_exec(). Below are typical uses. Assume that where ever I have a PHP variable in them (i.e. $html in the first one), there is a chance that the user has the ability to modify its content.

What should I be concerned about from a security vulnerability perspective? Is escapeshellcmd() and escapeshellarg() the answer, and if so where should it be used?

$cmd='echo "html + '.$html.'" | htmldoc --format pdf > '.$filename;
$cmd='/usr/bin/convert '.$docs.' '.$filename;
$cmd='HOME='.$dir.'; /usr/bin/libreoffice3.5 --headless -convert-to pdf --outdir '.$dir.' '.$file_org;
$cmd='wget -O '.$file_org.' "'.$url.'"';
$cmd='/opt/wkhtmltopdf/bin/wkhtmltopdf "'.$url.'" '.$paramaters;
$cmd='/usr/bin/php -q '.$worker.' '.$session_id.' >/dev/null &';
exec($cmd);

$cmd='sendfax -n -m -w -i '.$id.' -o JohnDoe -D -S "[email protected]" -s "us-leg" -f "'.$from.'" -d "'.$to.'" '.$doc_list;
$cmd = "faxstat -s | grep \"^$jid \"";
$output = shell_exec($cmd);

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_USERAGENT, $_GET['user_agent'] ? $_GET['user_agent'] : $_SERVER['HTTP_USER_AGENT'] );
curl_setopt($ch,CURLOPT_POSTFIELDS,array('aaa'=>$aaa,'bbb'=>$bbb));
$result = curl_exec($ch);
Improve this question
8
  • name temporary files in php code, not allow user to name the files, not use wget to pull a file, use libcurl, Commented Dec 1, 2012 at 15:11
  • Use libcurl instead of wget? Commented Dec 1, 2012 at 15:13
  • I wonder what happens if a user makes $html to be "; rm -rf /; echo "foo". Commented Dec 1, 2012 at 15:13
  • @user1032531 what you wonder about ? you can't download file using curl ? Commented Dec 1, 2012 at 15:26
  • @JonasWielicki. I tried the following, and the directory wasn't created. $cmd="echo \"<h1>Hello; mkdir /tmp/testing /; echo \"foo\"</h1>\" | htmldoc --format pdf > /tmp/new.pdf" Commented Dec 1, 2012 at 15:29

1 Answer 1

Reset to default
5

If you don’t validate and/or escape the input values properly, anyone can execute arbitrary commands on your system in behalf of the user that runs PHP.

For command arguments, there is escapeshellarg. Make sure you escape the whole argument value, e.g.:

$cmd='echo '.escapeshellarg('html + '.$html).' | htmldoc --format pdf > '.escapeshellarg($filename);
$cmd='/usr/bin/convert '.escapeshellarg($docs).' '.escapeshellarg($filename);
// […]
$cmd='sendfax -n -m -w -i '.escapeshellarg($id).' -o JohnDoe -D -S "[email protected]" -s "us-leg" -f '.escapeshellarg($from).' -d '.escapeshellarg($to).' '.escapeshellarg($doc_list);
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks Gumbo. Would escapeshellcmd() be used to escape something like "echo" or "sendfax" (assuming they were variables, and why one would do this I have no idea)? Does this apply to all three exec(), shell_exec(), and curl_exec()?
Also you should be aware that, if the user can control the filename, he can possibly just overwrite some of your scripts or everything else which is writable by the PHP user.
@user1032531 The manual page lists only exec, system, and the backtick operator. And since shell_exec is identical to the backtick operator, it’s safe to use it for that function too. But curl_exec is different from these as it does not execute system commands. It should be safe the way you use it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.