[nycphp-talk] escapeshellcmd stupidity?
ashaw at polymerdb.org
Fri Jan 2 12:05:39 EST 2009
I have a shell script that manages my todo list, and I'd like to access
it through the Web as well, for convenience when I'm traveling. ssh is
not ideal here, since Web gives me access from any machine without
downloading PuTTY, for example. Basic auth seems enough to protect my
todo list from abuse, but the stakes get higher when we consider that
I'm accepting shell script arguments over the web -- poor security could
easily lead to arbitrary code being passed to the shell.
Can anyone here comment on the wisdom of relying on escapeshellcmd() in
a situation like this? For example:
$script_path = '/path/to/shell/script';
It looks right to me, and I've confirmed that it "works," but I can't
test to confirm it's "safe." I'd appreciate it if someone more
experienced could tell me if this is just a Bad Idea.
More information about the talk