From: hirokawa Operating system: Ubuntu Linux PHP version: trunk-SVN-2011-10-23 (SVN) Package: Filter related Bug Type: Bug Bug description:escapeshellcmd() cannot escape the chars which causes shell injection.
Description: ------------ escapeshellcmd() escapes " and ' only if it isn't paired (it is documented in the PHP manual). For the test script to look for some keyword in the files of the specified directory (/var/data/), the double quotation in the user input as shown below cannot be escaped because it is paired (it is found by Mr. Tokumaru). $_GET['key'] = ':" "/etc/passwd'; The command line will be, grep ":" "/etc/passwd" /var/data/* The content of arbitrary file such as /etc/passwd will be shown. The attached patch (made by Mr. Ohgaki, slightly modified be me) will add an option flag for escapeshellcmd(). The recommended code to escape the quotation in this case will be, $key = escapeshellcmd($_GET['key'], ESCAPE_CMD_ALL); output: grep ":\" \"/etc/passwd" /var/data/* The option flag has the three different value. There is no backward incompatibility because the default behavior (ESCAPE_CMD_PAIR) is unchanged. ESCAPE_CMD_PAIR : escape if it is not paired (default) ESCAPE_CMD_END : escape except for end/beginning of the string ESCAPE_CMD_ALL : escape without exception (recommended) In Windows, the quotation is always escaped, but, in other environment, it is only escaped if it is not paired. It is highly recommended to apply this patch to prevent the possible shell command injection attack. Test script: --------------- <?php $_GET['key'] = ':" "/etc/passwd'; // sample input $key = escapeshellcmd($_GET['key']); $cmd = "grep \"$key\" /var/data/*"; echo $cmd,PHP_EOL; system($cmd); ?> Expected result: ---------------- grep ":\" \"/etc/passwd" /var/data/* Actual result: -------------- grep ":" "/etc/passwd" /var/data/* [content of /etc/passwd] -- Edit bug report at https://bugs.php.net/bug.php?id=60116&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60116&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60116&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60116&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60116&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60116&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60116&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60116&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60116&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60116&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60116&r=support Expected behavior: https://bugs.php.net/fix.php?id=60116&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60116&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60116&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60116&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60116&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=60116&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60116&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60116&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60116&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60116&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60116&r=mysqlcfg
