考虑使用"exec"执行器的安全问题. php命令 [英] Considering safety problems using "exec" php command

问题描述

我正在使用exec php命令在Web服务器中启动jar文件. 我需要采取任何预防措施来预防任何安全问题吗?我的意思是，使用exec指令可能会很危险吗?

I am using the exec php command to launch a jar file in my web server. Is there any precautions that I have to adopt to prevent any safety issues?I mean,could be dangerous use the exec comand?

推荐答案

这取决于您如何为函数提供参数.如果使用文字，则代码仅容易受到开发人员级别的错误和不良做法的影响.但是，如果要传递变量，则全部取决于参数的来源.我建议在这种情况下，请务必练习非常安全的方法，即在调用exec函数之前立即利用所有可用的验证工具.从我的头顶上:

It depends how you provide the argument for the function. If you are using a literal, the code is only vulnerable to developer-level mistakes and bad practices. However, if you will be passing a variable it all depends on the source of the parameter. I would suggest to always practice very safe approach in this scenario, utilizing all the available validation tools right before calling the exec function. From top of my head:

• 检查是否通过利用运行PHP进程的系统用户(通常是具有广泛访问权限的Web服务器用户)来利用底层操作系统上的用户特权，
• 可能暂时将exec命令使用的环境塞进监狱，以便仅向用户提供所需的文件和可执行文件，
即使您现在知道传递的参数的值不是由用户或第三方提供，而是由代码的其他部分提供的，也要进行安全的编程.即使情况并非如此，将来系统的其他部分也可能会发生变化，从而允许将Shell脚本注入底层操作系统.

• checking if the user's privilege on the underlying operating system are not being leveraged by utilizing the system user running the PHP process (very often the web server user with quite extensive access),
• possibly, temporarily jailing the environment used for the exec command to provide the user only with the files and executables which are required,
• practice safe programming even if at the moment you know that the value of the passed parameter is not provided by the user or third party, but from other parts of the code; even though that might not be the case, in the future other parts of the system might change, allowing injection of shell scripts to underlying OS.

这篇关于考虑使用"exec"执行器的安全问题. php命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！