Best way to sanitize exec command with user inserted variables

时光怂恿深爱的人放手 提交于 2020-01-20 03:08:45

问题


I'm coding a web interface to a horrible piece of propitiatory software our company uses. The software has no real UI and requires us giving putty access to our system for our clients to even pull data. My web interface has to run an exec(); function and it has to pass a few variables the user inputs.

$command = "report-call '$type' '$study' '$server' '$tag' '$specopt1' '$specopt2' '$specopt3' '$specopt4'";
$last_line = exec($command, $output, $returnvalue); 

Now I assume I might be able to just remove any semicolons from the $command varible and be safe, but I'm not sure and that's why I'm posing this here before we go live next month.

What would be the best way to sanitize $command? There are a few special chars that I do need to be in the variables [ ] < > ! # $ .


回答1:


Use the function that PHP has for this purpose:

$cmd = 
     "/usr/bin/do-something " . 
     escapeshellarg($arg1) . 
     ' ' . 
     escapeshellarg($arg2);

You can also use escapeshellcmd()

What's the difference?

escapeshellarg() ONLY adds ' around the string and then \ before any other ' characters. http://www.php.net/escapeshellarg

escapeshellcmd() escapes all shell-sensitive characters ($, \, etc..) but does not add quotes. http://www.php.net/manual/en/function.escapeshellcmd.php

The gotcha is in the case that you use escapeshellarg() as PART OF A QUOTED parameter. Then it is rendered useless (actually adding quotes to the mix).

Generally speaking, we prefer to use escapeshellcmd() with our own quotes added.

$cmd = 
    "/usr/bin/do-something '" . 
    escapeshellcmd($arg1) . 
    "' '" . 
    escapeshellcmd($arg2) . 
    "'";

Be safe!



来源:https://stackoverflow.com/questions/982904/best-way-to-sanitize-exec-command-with-user-inserted-variables

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!