NYCPHP Meetup

[nycphp-talk] escapeshellcmd stupidity?

csnyder chsnyder at gmail.com
Fri Jan 2 13:24:23 EST 2009


On Fri, Jan 2, 2009 at 12:05 PM, Allen Shaw <ashaw at polymerdb.org> wrote:

> Can anyone here comment on the wisdom of relying on escapeshellcmd() in a
> situation like this?  For example:
> <?
>   $script_path = '/path/to/shell/script';
>   shell_exec(escapeshellcmd("$script_path {$_POST['user_input']}"));
> ?>
>
> It looks right to me, and I've confirmed that it "works," but I can't test
> to confirm it's "safe."  I'd appreciate it if someone more experienced could
> tell me if this is just a Bad Idea.
>

First, escapeshellarg() is more specific, and therefore *possibly*
safer. Rather than escaping the whole thing, just escape the user
input.

Second, it would be MUCH safer to determine an acceptable range of
possibilities for the user input, or a pattern (regex or otherwise)
that it should match before being passed to the shell. In other words,
validate the input first, and then filter it when you pass it to the
shell.

In your case you want to pass arbitrary strings, so validation becomes
more difficult. You could still validate the input so that it only
contains printable ascii and simple punctuation, no unprintable
characters or newlines or any of that.



More information about the talk mailing list