Escapeshellcmd warning

Question

Escapeshellcmd warning

A escapeshellcmdwarning appears on the php documentation pages for :

escapeshellcmd () should be used throughout the command line , and this still allows the attacker to pass an arbitrary number of arguments. For escaping, one argument should be escapeshellarg ().

What should I understand from this:

Should I always avoid the entire command line using escapeshellcmd, including arguments that have already been escaped with escpaeshellarg?
Should I avoid command elements that are not parameters (the only logical thing to do if you ask me)?
Should I just ignore this dubious warning, which creates even more confusion as to how these 2 functions complement each other?

Thanks Cosmin

+5

security php

Interfector Mar 22 '13 at 18:59

source share

3 answers

, escapeshellcmd .

escapeshellcmd() , .

escapeshellarg , .

escapeshellarg() / , .

, escapeshellarg , , ( ) , , ( , ) .

: .

EDIT:

, . , , -

actualArg -someEvilFlag

actualArg -someEvilFlag evilFlagArgument

+2

thatidiotguy 22 . '13 19:16

escapeshellarg escapeshellcmd?, .

, , , escapshellcmd, , . " " .

+1

Mark Stanislav 22 . '13 19:02

mandark · Accepted Answer · 2013-03-28T02:57:00+0000

In short

escapeshellarg: used to enclose an argument with single quotes, and it escapes quotes in the argument.
escapeshellcmd: used to exit shell metacharacters ie <,>, | etc.

Assuming your php version relies on bash to execute the command, we know from bash manual ,

. , .

, :

$c = escapeshellcmd( $cmd ) . ' ' . escapeshellarg( $arg1 );

, $c : exec, system, passthru .. , . :

$cmd = 'echo';
$arg = 'TEST\0ING'; // Since we are using single quotes, \0 shouldn't be evaluated as a null byte char
$c = escapeshellcmd( $cmd ) . ' ' . escapeshellarg( $arg1 ); // echo 'TEST\0ING'
exec( $c . ' > output.txt'); // writes TEST without the ING to output.txt

exec '\ 0' , output.txt '\ 0'. Ubuntu PHP 5.4.6. , , . , escapeshellcmd , '\', :

$c = escapeshellcmd( $cmd . ' ' . escapeshellarg( $arg1 ) );
exec( $c . ' > output.txt'); // writes TEST\0ING to output.txt

, ($ cmd), .

, escapeshellcmd . ' > output.txt' , ' > ' .

:

. . , , .
, , -.
, escapeshellcmd .

Escapeshellcmd warning

More articles: