Edit report at https://bugs.php.net/bug.php?id=60116&edit=1
ID: 60116
Updated by: hirok...@php.net
Reported by: hirok...@php.net
Summary: escapeshellcmd() cannot escape the chars which
causes shell injection.
-Status: Bogus
+Status: Closed
Type: Bug
Package: Filter related
Operating System: Ubuntu Linux
PHP Version: trunk-SVN-2011-10-23 (SVN)
Assigned To: hirokawa
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2011-11-11 15:06:10] hirok...@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
------------------------------------------------------------------------
[2011-11-11 14:52:48] hirok...@php.net
Automatic comment from SVN on behalf of hirokawa
Revision: http://svn.php.net/viewvc/?view=revision&revision=319057
Log: revert changes to fix bug #60116.
------------------------------------------------------------------------
[2011-11-11 09:53:49] lbarn...@php.net
> The default behavier which not escaped paired quotes is still dangerous even
> if the single-quotes is used.
Yes, I was speaking of both single quotes and double quote: Don't enclose the
escaped string in quotes at all :)
This is a bit puzzling because all escaping function like mysql_escape_string
expect the user to enclose the string in quotes. But escapeshellcmd and
escapeshellarg don't.
It's like htmlspecialchars: it just removes the special meaning of special
characters.
> But, generally, escapeshellcmd() is used to escape the user input
It shouldn't be the case. escapeshellcmd escapes all control characters from a
string, which avoids command injection, redirection, etc but doesn't prevent
argument injection (it doesn't escape spaces).
------------------------------------------------------------------------
[2011-11-10 22:49:42] hirok...@php.net
The default behavier which not escaped paired quotes is still dangerous even if
the single-quotes is used.
$_GET['key'] = ":' '/etc/hosts";
$key = escapeshellcmd($_GET['key']);
$cmd = "grep '$key' /var/data/*"; // <- single quote
system($cmd); // output: grep ':' '/etc/hosts' /var/data/*
You are right, escapeshellarg() is better than escapeshellcmd() in this case.
But, generally, escapeshellcmd() is used to escape the user input
(GET/POST/Cookie), the default behavior (paired quotes are not escaped) is
not recommended.
------------------------------------------------------------------------
[2011-11-10 15:18:49] lbarn...@php.net
The example at http://docs.php.net/manual/en/function.escapeshellcmd.php is
wrong. It is enclosing an escaped argument in double quotes, but the
escapeshellcmd function doesn't expect this.
As a result the second command in the example is unsafe.
IMO the second command in the example should be removed and replaced by a
warning telling to use escapeshellarg instead (because escapeshellcmd doesn't
escape spaces and an argument escaped by escapeshellcmd may be interpreted as
multiple arguments by the shell).
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=60116
--
Edit this bug report at https://bugs.php.net/bug.php?id=60116&edit=1
