|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2011-10-23 11:16 UTC] hirokawa@php.net
Description: ------------ escapeshellcmd() escapes " and ' only if it isn't paired (it is documented in the PHP manual). For the test script to look for some keyword in the files of the specified directory (/var/data/), the double quotation in the user input as shown below cannot be escaped because it is paired (it is found by Mr. Tokumaru). $_GET['key'] = ':" "/etc/passwd'; The command line will be, grep ":" "/etc/passwd" /var/data/* The content of arbitrary file such as /etc/passwd will be shown. The attached patch (made by Mr. Ohgaki, slightly modified be me) will add an option flag for escapeshellcmd(). The recommended code to escape the quotation in this case will be, $key = escapeshellcmd($_GET['key'], ESCAPE_CMD_ALL); output: grep ":\" \"/etc/passwd" /var/data/* The option flag has the three different value. There is no backward incompatibility because the default behavior (ESCAPE_CMD_PAIR) is unchanged. ESCAPE_CMD_PAIR : escape if it is not paired (default) ESCAPE_CMD_END : escape except for end/beginning of the string ESCAPE_CMD_ALL : escape without exception (recommended) In Windows, the quotation is always escaped, but, in other environment, it is only escaped if it is not paired. It is highly recommended to apply this patch to prevent the possible shell command injection attack. Test script: --------------- <?php $_GET['key'] = ':" "/etc/passwd'; // sample input $key = escapeshellcmd($_GET['key']); $cmd = "grep \"$key\" /var/data/*"; echo $cmd,PHP_EOL; system($cmd); ?> Expected result: ---------------- grep ":\" \"/etc/passwd" /var/data/* Actual result: -------------- grep ":" "/etc/passwd" /var/data/* [content of /etc/passwd] Patchesphp-escape.patch (last revision 2011-10-23 11:17 UTC by hirokawa@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Nov 17 05:00:01 2025 UTC |
Hi, It seems that you are not using escapeshellcmd() correctly, and that's why it's unsafe in the way you are using it. You are enclosing escapeshellcmd's output in double quotes. However escapeshellcmd() and escapeshellarg() do not work like mysql_real_escape_string() for example, and you must *not* enclose the string in quotes yourself. (The example in the documentation is wrong.) When you don't do it it's perfectly fine: echo escapeshellcmd('foo" "bar'); Result: foo" "bar // the quotes don't allow to inject a command. echo escapeshellcmd('foo"bar') Result: foo\"bar // This time the quote is escaped since it's not paired. Again, injecting a command is not possible. Also, I believe that escapeshell*arg*() should be used instead or escapeshell*cmd*() when escaping an argument: $cmd = sprintf('grep %s /var/data/*', escapeshellarg($_GET['key'])); (escapeshellcmd() won't escape spaces and would allow to inject an additional argument; escapeshellarg() encloses the whole argument in single quotes and ensures that it's treated as a single argument)@hirokawa you've assigned the bug to me, but I don't feel confident enough about my english to update the docs myself. The example could be something like this: <?php $e = escapeshellcmd($userinput); system("echo $e"); ?> And a warning may be added: The returned string may be interpreted as multiple arguments by the shell. Use escapeshellarg() for escaping arguments.