[nycphp-talk] escapeshellcmd stupidity?
Allen Shaw
ashaw at polymerdb.org
Fri Jan 2 12:05:39 EST 2009
Hi All,
I have a shell script that manages my todo list, and I'd like to access
it through the Web as well, for convenience when I'm traveling. ssh is
not ideal here, since Web gives me access from any machine without
downloading PuTTY, for example. Basic auth seems enough to protect my
todo list from abuse, but the stakes get higher when we consider that
I'm accepting shell script arguments over the web -- poor security could
easily lead to arbitrary code being passed to the shell.
Can anyone here comment on the wisdom of relying on escapeshellcmd() in
a situation like this? For example:
<?
$script_path = '/path/to/shell/script';
shell_exec(escapeshellcmd("$script_path {$_POST['user_input']}"));
?>
It looks right to me, and I've confirmed that it "works," but I can't
test to confirm it's "safe." I'd appreciate it if someone more
experienced could tell me if this is just a Bad Idea.
Thanks,
Allen
--
Allen Shaw
slidePresenter (http://slides.sourceforge.net)
More information about the talk
mailing list