3

I have a script that calls a bash script that does some processing, but the script calls the bash script using user inputed data.

I am wondering if there is a way to make sure the person (it's a file upload) doesn't append like ;cd /;rm -rf * to the end of the file. Or anything else like that. Would a normal MYSQL Injection methods work? Is there a better alternative?

Improve this question
5
  • normal sql injection won't stop this. Commented Jan 23, 2012 at 15:22
  • 1
    write your own scripting language that only provides the functionality you need to expose. Commented Jan 23, 2012 at 15:22
  • What the F has mysql got to do with it??? Commented Jan 23, 2012 at 15:28
  • You don't let you PHP scripts run with root privileges, do you? Commented Jan 23, 2012 at 15:28
  • Don't pass user data on the command line, even if it's escaped. Use a bi-directional pipe to pass data to/from the external script. That completely eliminates any kind of shell injection vulnerability. Commented Jan 23, 2012 at 15:33

3 Answers 3

Reset to default
5

Being able to inject shell commands would be ... shell command injection, and neither file nor SQL injection. To secure against it, use escapeshellarg:

exec('bash bash-script ' . escapeshellarg($userInput));
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Did you check escapeshellcmd() and escapeshellarg() or am I missing the point?

Improve this answer

Comments

0

Securing this process is a two-way procedure:

  1. ensuring the input meets some criteria (especially on maximum types)
  2. ensuring the input cannot leak and change the process itself

Let's say I'm passing a number to a program...

$num = $_GET['num']; // get the input
$num = (int)$_GET['num']; // ensure it is an integer
$num = max($num, 0); // ensure it is at least 0
$num = min($num, 800); // ensure it is at most 800

$num = escapeshellarg($num); // this is overkill at this point, but you never know

exec('command '.$num);

As advised above, you can also have your own little language to do this but...

  1. it may still be vulnerable
  2. it may be overkill for a simple task
  3. it is just an advanced version of the filter system

Finally, there's another alternative. There are functions that accept the command and parameters as separate arguments, such as popen() (you can push command arguments through pipes). But this depends on implementation.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.