分享程序员开发的那些事...
更新时间:2022-10-26 22:38:05
如果您没有正确验证和/或转义输入值,则任何人都可以代表运行PHP的用户在系统上执行任意命令./p>
对于命令参数,有 escapeshellarg .确保您转义整个参数值,例如:
$ cmd ='echo'.escapeshellarg('html +'.$ html).'|htmldoc --format pdf>'.escapeshellarg($ filename);$ cmd ='/usr/bin/convert'.escapeshellarg($ docs).''.escapeshellarg($ filename);//[…]$ cmd ='sendfax -n -m -w -i'.escapeshellarg($ id).'-o JohnDoe -D -S"hello@gmail.net" -s我们的腿" -f'.escapeshellarg($ from).'-d'.escapeshellarg($ to).''.escapeshellarg($ doc_list);
Occasionally, I use exec(), shell_exec(), and curl_exec(). Below are typical uses. Assume that where ever I have a PHP variable in them (i.e. $html in the first one), there is a chance that the user has the ability to modify its content.
What should I be concerned about from a security vulnerability perspective? Is escapeshellcmd() and escapeshellarg() the answer, and if so where should it be used?
$cmd='echo "html + '.$html.'" | htmldoc --format pdf > '.$filename;
$cmd='/usr/bin/convert '.$docs.' '.$filename;
$cmd='HOME='.$dir.'; /usr/bin/libreoffice3.5 --headless -convert-to pdf --outdir '.$dir.' '.$file_org;
$cmd='wget -O '.$file_org.' "'.$url.'"';
$cmd='/opt/wkhtmltopdf/bin/wkhtmltopdf "'.$url.'" '.$paramaters;
$cmd='/usr/bin/php -q '.$worker.' '.$session_id.' >/dev/null &';
exec($cmd);
$cmd='sendfax -n -m -w -i '.$id.' -o JohnDoe -D -S "hello@gmail.net" -s "us-leg" -f "'.$from.'" -d "'.$to.'" '.$doc_list;
$cmd = "faxstat -s | grep \"^$jid \"";
$output = shell_exec($cmd);
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_USERAGENT, $_GET['user_agent'] ? $_GET['user_agent'] : $_SERVER['HTTP_USER_AGENT'] );
curl_setopt($ch,CURLOPT_POSTFIELDS,array('aaa'=>$aaa,'bbb'=>$bbb));
$result = curl_exec($ch);
If you don’t validate and/or escape the input values properly, anyone can execute arbitrary commands on your system in behalf of the user that runs PHP.
For command arguments, there is escapeshellarg. Make sure you escape the whole argument value, e.g.:
$cmd='echo '.escapeshellarg('html + '.$html).' | htmldoc --format pdf > '.escapeshellarg($filename);
$cmd='/usr/bin/convert '.escapeshellarg($docs).' '.escapeshellarg($filename);
// […]
$cmd='sendfax -n -m -w -i '.escapeshellarg($id).' -o JohnDoe -D -S "hello@gmail.net" -s "us-leg" -f '.escapeshellarg($from).' -d '.escapeshellarg($to).' '.escapeshellarg($doc_list);