1

Having worked with several APIs I found out that almost all of them use curl to demonstrate a sample auth./not-auth. request.

My question is:

How dangerous would it be to use shell_exec( % some curl string % ); on a server in a production environment to make requests?

What exactly are the additional risks associated with that?

The system that PHP "natively" uses for requests is curl package which provides some wrapper for curl functionality and probably results in pure curl after compilation.

However, it's cumbersome & quite wordy when you write it.

I did some tests and shell_exec appears to work fine.

For instance, the following code returns results completely as expected. the $json is formatted perfectly well.

$res = shell_exec('curl "https://www.zohoapis.com/crm/v2/settings/profiles" -H "Authorization: Zoho-oauthtoken 1000.8cb99dxxxxxxxxxxxxx9be93.9b8xxxxxxxxxxxxxxxf"');

$json = json_decode($res, true);

var_dump( $json, $res );

Considering that the actual action that happens deep on server should be completely identical, neither there's any significant difference in process (there's no user input involved anyway, the data used is the same, etc.) I don't see any possible negative effect or any additional risks that might be incurred by use of shell_exec.

On the other hand, potential benefits would be quite significant.

Improve this question
5
  • Yes, curl functions are available in PHP. Writing a "non-wordy" wrapper is pretty trivial. The shell workaround has more than just security implications. Commented Jul 3, 2019 at 19:03
  • @mario what are those implications for example? Commented Jul 3, 2019 at 19:05
  • 1
    Starts at least two new processes, for one. Then there's stdout/stderr handling. Other than that: escapeshellarg and the right /bin/sh setup to make it reliable. Commented Jul 3, 2019 at 19:06
  • @mario considering production server env., right /bin/sh & escaping will surely be there. Two other reasons are less clear for me. Could you explain which processes are started and what exactly would be the problem with stdout/stderr handling? Commented Jul 3, 2019 at 19:22
  • sh+curl are the two processes forked. shell_exec won't yield the errno, you need exec, or proc_open if you want stderr (without 2>&1 intermingling or -f) to recognize request failures. Commented Jul 3, 2019 at 23:28

1 Answer 1

Reset to default
1

That's quite some overhead (escapeshellarg, exec/proc_open) just to avoid a builtin API. There's quite a lot of CLI tools (ffmpeg, uno/soffice, …) you should prefer over quirky in-PHP implementations. Curl does not fall in that category.

If you don't want to use Guzzle or the more cross-languagey PHPRequests, then go for a simpler curl wrapper.

  • See e.g. yesterdays reddit post for a basic variant.

  • Or even curl().php, which I use/made:

    $res = curl($api_url)->httpheader(["Auth: …"])->exec();

See? Doesn't have to be obtuse. The class interface is merely just about avoiding the CURL_ prefixes and retaining existing function/option names. (Because, yes of course, the raw PHP curl API is awful.)

And you'll avoid hardcoding and repeating the auth key for different endpoints.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.