Edit report at https://bugs.php.net/bug.php?id=60116&edit=1
ID: 60116
Updated by: lbarn...@php.net
Reported by: hirok...@php.net
Summary: escapeshellcmd() cannot escape the chars which
causes shell injection.
Status: Assigned
Type: Bug
Package: Filter related
Operating System: Ubuntu Linux
PHP Version: trunk-SVN-2011-10-23 (SVN)
Assigned To: hirokawa
Block user comment: N
Private report: N
New Comment:
The example at http://docs.php.net/manual/en/function.escapeshellcmd.php is
wrong. It is enclosing an escaped argument in double quotes, but the
escapeshellcmd function doesn't expect this.
As a result the second command in the example is unsafe.
IMO the second command in the example should be removed and replaced by a
warning telling to use escapeshellarg instead (because escapeshellcmd doesn't
escape spaces and an argument escaped by escapeshellcmd may be interpreted as
multiple arguments by the shell).
Previous Comments:
------------------------------------------------------------------------
[2011-11-10 15:09:03] lbarn...@php.net
Hi,
It seems that you are not using escapeshellcmd() correctly, and that's why it's
unsafe in the way you are using it.
You are enclosing escapeshellcmd's output in double quotes.
However escapeshellcmd() and escapeshellarg() do not work like
mysql_real_escape_string() for example, and you must *not* enclose the string
in quotes yourself. (The example in the documentation is wrong.)
When you don't do it it's perfectly fine:
echo escapeshellcmd('foo" "bar');
Result: foo" "bar // the quotes don't allow to inject a command.
echo escapeshellcmd('foo"bar')
Result: foo\"bar // This time the quote is escaped since it's not paired.
Again, injecting a command is not possible.
Also, I believe that escapeshell*arg*() should be used instead or
escapeshell*cmd*() when escaping an argument:
$cmd = sprintf('grep %s /var/data/*', escapeshellarg($_GET['key']));
(escapeshellcmd() won't escape spaces and would allow to inject an additional
argument; escapeshellarg() encloses the whole argument in single quotes and
ensures that it's treated as a single argument)
------------------------------------------------------------------------
[2011-11-10 14:19:09] hirok...@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&revision=318996
Log: MFH: fixed bug #60116 (escapeshellcmd() cannot escape the characters which
cause shell command injection).
------------------------------------------------------------------------
[2011-10-30 05:57:22] hirok...@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&revision=318568
Log: added a test script for bug60116 and fixed behabior of ESCAPE_CMD_END.
------------------------------------------------------------------------
[2011-10-24 14:13:27] hirok...@php.net
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
[2011-10-23 15:08:28] tyr...@php.net
judging from http://svn.php.net/viewvc?view=revision&revision=318342 this can
be
closed, right?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=60116
--
Edit this bug report at https://bugs.php.net/bug.php?id=60116&edit=1
