NYCPHP Meetup

[nycphp-talk] escapeshellcmd stupidity?

Allen Shaw ashaw at polymerdb.org
Fri Jan 2 15:37:43 EST 2009


Hi Chris,

Thanks for your helpful input. Some follow-up from me:

csnyder wrote:
>  Allen Shaw wrote:
> > Can anyone here comment on the wisdom of relying on
> > escapeshellcmd() in a situation like this? ...
>
>  First, escapeshellarg() is more specific, and therefore *possibly*
>  safer. Rather than escaping the whole thing, just escape the user
>  input.

In my case, I'm passing multiple arguments, but I'm now regexing them 
apart into separate arguments, so escapeshellarg() does work. For 
forward compat with the wrapped shell script, I'm hoping to avoid 
checking for valid arguments and instead just escaping each argument and 
letting the shell script do its own checking.

>  Second, it would be MUCH safer to determine an acceptable range of
>  possibilities for the user input... In your case you want to pass
>  arbitrary strings, so validation becomes more difficult. You could
>  still validate the input so that it only contains printable ascii and
>  simple punctuation, no unprintable characters or newlines or any of
>  that.
Okay, good thought. For this I'll remove the first 32 non-printing ASCII 
chars, and DEL:
<?
$user_input = preg_replace('/[\000-\037\127]/', '', $user_input);
?>

If I'm thinking straight, the above will strip most obviously useless 
chars but still allow lots of chars (e.g. i18n stuff) that I'll never be 
able to whitelist.

Thanks again for your input.

- Allen
-- 
Allen Shaw, UPF Data Services
ashaw at upf.org | 914.826.4622 | http://www.upf.org

-- 
Allen Shaw
slidePresenter (http://slides.sourceforge.net)





More information about the talk mailing list