|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #47694 escapeshellcmd() considered harmful?
Submitted: 2009-03-17 16:57 UTC Modified: 2015-02-03 06:57 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: hao at hrz dot tu-chemnitz dot de Assigned: yohgaki (profile)
Status: Closed Package: Program Execution
PHP Version: 5.2.9 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: hao at hrz dot tu-chemnitz dot de
New email:
PHP Version: OS:


 [2009-03-17 16:57 UTC] hao at hrz dot tu-chemnitz dot de
Using escapeshellcmd() alone without any additional filtering is not safe at all. Special care has to be taken for parameter handling and the use of ' and ".

I would strongly recommend to drop this function and/or discourage its use in the documentation. In 2000 there was a bug report #3519 about this. But there is still no warning whatsoever anywhere.

Now to the details. I'll point out a few security risks in examples given in the documentation and the documentation comments.


$e = escapeshellcmd($userinput);
// here we don't care if $e has spaces
system("echo $e");

Here you can still pass parameters to echo. E.g. a $userinput of '-n blah' will not output what you expected. This might not be a big deal with echo, but it definitely is with other programs.


$f = escapeshellcmd($filename);
// and here we do, so we use quotes
system("touch \"/tmp/$f\"; ls -l \"/tmp/$f\"");

Note that paired quotes are not escaped by escapeshellcmd(). So given a $filename like '" ".htaccess' will create more than one file, in any directory you want. With '" -R "/' you might even start a full recursive directory listing.

#3 (from davidwhthomas)

$result = exec(escapeshellcmd("tar -xvvf /path/to/$uploadedfile -C /path/to/extract/to/"));

With this little exec it might be possible to put any file anywhere on the filesystem (restricted by user rights of course) by adding the '-P' parameter.
A attack might work as follows:
Upload two files 'up.tar' and 'up.tar -P' simultaneously where up.tar contains the file and path with a leading slash. Quoting the filename does not fix the problem, see #2.

So whats the point in having escapeshellcmd(), when there is a escapeshellarg() function? Is there any legitimate use case for escapeshellcmd()?
As i said before, I would strongly recommend to drop this function and/or discourage its use in the documentation. Additionally i would add ' --' in the documentation example for escapeshellarg():

<?php system('ls -- '.escapeshellarg($dir)); ?>

instead of 

<?php system('ls '.escapeshellarg($dir)); ?>

to give interested users a hint for possible security risks.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-04-08 20:34 UTC]
-Package: Feature/Change Request +Package: Program Execution
 [2015-02-03 06:57 UTC]
-Status: Open +Status: Closed -Type: Feature/Change Request +Type: Documentation Problem -Assigned To: +Assigned To: yohgaki
 [2015-02-03 06:57 UTC]
Yes, it is. escapeshellcmd() is only good for supporting programmers, not for _external_ inputs.

This should be documented clearly and it is now.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jun 21 04:01:30 2024 UTC