Edit report at https://bugs.php.net/bug.php?id=60116&edit=1
ID: 60116
Updated by: lbarn...@php.net
Reported by: hirok...@php.net
Summary: escapeshellcmd() cannot escape the chars which
causes shell injection.
-Status: To be documented
+Status: Open
Type: Bug
Package: Filter related
Operating System: Ubuntu Linux
PHP Version: trunk-SVN-2011-10-23 (SVN)
Assigned To: hirokawa
Block user comment: N
Private report: N
New Comment:
Hi,
It seems that you are not using escapeshellcmd() correctly, and that's why it's
unsafe in the way you are using it.
You are enclosing escapeshellcmd's output in double quotes.
However escapeshellcmd() and escapeshellarg() do not work like
mysql_real_escape_string() for example, and you must *not* enclose the string
in quotes yourself. (The example in the documentation is wrong.)
When you don't do it it's perfectly fine:
echo escapeshellcmd('foo" "bar');
Result: foo" "bar // the quotes don't allow to inject a command.
echo escapeshellcmd('foo"bar')
Result: foo\"bar // This time the quote is escaped since it's not paired.
Again, injecting a command is not possible.
Also, I believe that escapeshell*arg*() should be used instead or
escapeshell*cmd*() when escaping an argument:
$cmd = sprintf('grep %s /var/data/*', escapeshellarg($_GET['key']));
(escapeshellcmd() won't escape spaces and would allow to inject an additional
argument; escapeshellarg() encloses the whole argument in single quotes and
ensures that it's treated as a single argument)
Previous Comments:
------------------------------------------------------------------------
[2011-11-10 14:19:09] hirok...@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&revision=318996
Log: MFH: fixed bug #60116 (escapeshellcmd() cannot escape the characters which
cause shell command injection).
------------------------------------------------------------------------
[2011-10-30 05:57:22] hirok...@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&revision=318568
Log: added a test script for bug60116 and fixed behabior of ESCAPE_CMD_END.
------------------------------------------------------------------------
[2011-10-24 14:13:27] hirok...@php.net
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
[2011-10-23 15:08:28] tyr...@php.net
judging from http://svn.php.net/viewvc?view=revision&revision=318342 this can
be
closed, right?
------------------------------------------------------------------------
[2011-10-23 13:49:52] hirok...@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&revision=318342
Log: fixed bug #60116 escapeshellcmd() cannot escape the dangerous quotes.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=60116
--
Edit this bug report at https://bugs.php.net/bug.php?id=60116&edit=1
