[nycphp-talk] escapeshellcmd stupidity?
ashaw at polymerdb.org
Fri Jan 2 15:37:43 EST 2009
Thanks for your helpful input. Some follow-up from me:
> Allen Shaw wrote:
> > Can anyone here comment on the wisdom of relying on
> > escapeshellcmd() in a situation like this? ...
> First, escapeshellarg() is more specific, and therefore *possibly*
> safer. Rather than escaping the whole thing, just escape the user
In my case, I'm passing multiple arguments, but I'm now regexing them
apart into separate arguments, so escapeshellarg() does work. For
forward compat with the wrapped shell script, I'm hoping to avoid
checking for valid arguments and instead just escaping each argument and
letting the shell script do its own checking.
> Second, it would be MUCH safer to determine an acceptable range of
> possibilities for the user input... In your case you want to pass
> arbitrary strings, so validation becomes more difficult. You could
> still validate the input so that it only contains printable ascii and
> simple punctuation, no unprintable characters or newlines or any of
Okay, good thought. For this I'll remove the first 32 non-printing ASCII
chars, and DEL:
$user_input = preg_replace('/[\000-\037\127]/', '', $user_input);
If I'm thinking straight, the above will strip most obviously useless
chars but still allow lots of chars (e.g. i18n stuff) that I'll never be
able to whitelist.
Thanks again for your input.
Allen Shaw, UPF Data Services
ashaw at upf.org | 914.826.4622 | http://www.upf.org
More information about the talk