Bug #60116 [Opn]: escapeshellcmd() cannot escape the chars which causes shell injection.

Sun, 23 Oct 2011 08:08:49 -0700 

Edit report at https://bugs.php.net/bug.php?id=60116&edit=1

 ID:                 60116
 Updated by:         tyr...@php.net
 Reported by:        hirok...@php.net
 Summary:            escapeshellcmd() cannot escape the chars which
                     causes shell injection.
 Status:             Open
 Type:               Bug
 Package:            Filter related
 Operating System:   Ubuntu Linux
 PHP Version:        trunk-SVN-2011-10-23 (SVN)
-Assigned To:        
+Assigned To:        hirokawa
 Block user comment: N
 Private report:     N

 New Comment:

judging from http://svn.php.net/viewvc?view=revision&revision=318342 this can 
be 
closed, right?


Previous Comments:
------------------------------------------------------------------------
[2011-10-23 13:49:52] hirok...@php.net

Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&revision=318342
Log: fixed bug #60116 escapeshellcmd() cannot escape the dangerous quotes.

------------------------------------------------------------------------
[2011-10-23 11:17:25] hirok...@php.net

The following patch has been added/updated:

Patch Name: php-escape.patch
Revision:   1319368645
URL:        
https://bugs.php.net/patch-display.php?bug=60116&patch=php-escape.patch&revision=1319368645

------------------------------------------------------------------------
[2011-10-23 11:16:45] hirok...@php.net

Description:
------------
escapeshellcmd() escapes " and ' only if it isn't paired (it is documented in 
the PHP manual). 

For the test script to look for some keyword in the files of the specified 
directory (/var/data/), the double quotation in the user input as shown below 
cannot be escaped because it is paired (it is found by Mr. Tokumaru).

$_GET['key'] = ':" "/etc/passwd';

The command line will be,

grep ":" "/etc/passwd" /var/data/*

The content of arbitrary file such as /etc/passwd will be shown.

The attached patch (made by Mr. Ohgaki, slightly modified be me) will add an 
option flag for escapeshellcmd().
The recommended code to escape the quotation in this case will be,

$key = escapeshellcmd($_GET['key'], ESCAPE_CMD_ALL);

output: grep ":\" \"/etc/passwd" /var/data/*

The option flag has the three different value.
There is no backward incompatibility because the default behavior 
(ESCAPE_CMD_PAIR) is unchanged.

ESCAPE_CMD_PAIR : escape if it is not paired (default)
ESCAPE_CMD_END  : escape except for end/beginning of the string
ESCAPE_CMD_ALL  : escape without exception (recommended)

In Windows, the quotation is always escaped, but, in other environment,
it is only escaped if it is not paired.

It is highly recommended to apply this patch to prevent the possible shell 
command injection attack.









Test script:
---------------
<?php
$_GET['key'] = ':" "/etc/passwd'; // sample input
$key = escapeshellcmd($_GET['key']);
$cmd = "grep \"$key\" /var/data/*";
echo $cmd,PHP_EOL;
system($cmd);
?>

Expected result:
----------------
grep ":\" \"/etc/passwd" /var/data/*


Actual result:
--------------
grep ":" "/etc/passwd" /var/data/*
[content of /etc/passwd]




------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=60116&edit=1

Reply via email to