exec(),shell_exec()和curl_exec()的安全漏洞 [英] Security vulnerability with exec(), shell_exec(), curl_exec()
问题描述
有时,我使用exec(),shell_exec()和curl_exec().以下是典型用途.假设我在其中的任何地方都有一个PHP变量(即第一个中的$ html),那么用户就有可能修改其内容.
从安全漏洞的角度来看,我应该关注什么?escapeshellcmd()和escapeshellarg()是答案,如果可以的话,应该在哪里使用?
$ cmd ='echo"html +'.$ html.'" | |htmldoc --format pdf>'.$文件名;$ cmd ='/usr/bin/convert'.$ docs.''.$文件名;$ cmd ='HOME ='.$ dir.';/usr/bin/libreoffice3.5 --headless -convert-to pdf --outdir'.$ dir.''.$ file_org;$ cmd ='wget -O'.$ file_org.''.$ url.'"';$ cmd ='/opt/wkhtmltopdf/bin/wkhtmltopdf'.$ url.'"'.$ paramaters;$ cmd ='/usr/bin/php -q'.$ worker.''.$ session_id.'>/dev/null&';exec($ cmd);$ cmd ='sendfax -n -m -w -i'.$ id.'-o JohnDoe -D -S"hello@gmail.net" -s我们的腿" -f'.$ from.'" -d'.$ to.'"'.$ doc_list;$ cmd ="faxstat -s | grep \" ^ $ jid \";$输出= shell_exec($ cmd);$ ch = curl_init();curl_setopt($ ch,CURLOPT_URL,$ url);curl_setopt($ ch,CURLOPT_USERAGENT,$ _GET ['user_agent']?$ _GET ['user_agent']:$ _SERVER ['HTTP_USER_AGENT']));curl_setopt($ ch,CURLOPT_POSTFIELDS,array('aaa'=> $ aaa,'bbb'=> $ bbb));$ result = curl_exec($ ch);
如果您没有正确验证和/或转义输入值,则任何人都可以代表运行PHP的用户在系统上执行任意命令./p>
对于命令参数,有 escapeshellarg
.确保您转义整个参数值,例如:
$ cmd ='echo'.escapeshellarg('html +'.$ html).'|htmldoc --format pdf>'.escapeshellarg($ filename);$ cmd ='/usr/bin/convert'.escapeshellarg($ docs).''.escapeshellarg($ filename);//[…]$ cmd ='sendfax -n -m -w -i'.escapeshellarg($ id).'-o JohnDoe -D -S"hello@gmail.net" -s我们的腿" -f'.escapeshellarg($ from).'-d'.escapeshellarg($ to).''.escapeshellarg($ doc_list);
Occasionally, I use exec(), shell_exec(), and curl_exec(). Below are typical uses. Assume that where ever I have a PHP variable in them (i.e. $html in the first one), there is a chance that the user has the ability to modify its content.
What should I be concerned about from a security vulnerability perspective? Is escapeshellcmd() and escapeshellarg() the answer, and if so where should it be used?
$cmd='echo "html + '.$html.'" | htmldoc --format pdf > '.$filename;
$cmd='/usr/bin/convert '.$docs.' '.$filename;
$cmd='HOME='.$dir.'; /usr/bin/libreoffice3.5 --headless -convert-to pdf --outdir '.$dir.' '.$file_org;
$cmd='wget -O '.$file_org.' "'.$url.'"';
$cmd='/opt/wkhtmltopdf/bin/wkhtmltopdf "'.$url.'" '.$paramaters;
$cmd='/usr/bin/php -q '.$worker.' '.$session_id.' >/dev/null &';
exec($cmd);
$cmd='sendfax -n -m -w -i '.$id.' -o JohnDoe -D -S "hello@gmail.net" -s "us-leg" -f "'.$from.'" -d "'.$to.'" '.$doc_list;
$cmd = "faxstat -s | grep \"^$jid \"";
$output = shell_exec($cmd);
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_USERAGENT, $_GET['user_agent'] ? $_GET['user_agent'] : $_SERVER['HTTP_USER_AGENT'] );
curl_setopt($ch,CURLOPT_POSTFIELDS,array('aaa'=>$aaa,'bbb'=>$bbb));
$result = curl_exec($ch);
If you don’t validate and/or escape the input values properly, anyone can execute arbitrary commands on your system in behalf of the user that runs PHP.
For command arguments, there is escapeshellarg
. Make sure you escape the whole argument value, e.g.:
$cmd='echo '.escapeshellarg('html + '.$html).' | htmldoc --format pdf > '.escapeshellarg($filename);
$cmd='/usr/bin/convert '.escapeshellarg($docs).' '.escapeshellarg($filename);
// […]
$cmd='sendfax -n -m -w -i '.escapeshellarg($id).' -o JohnDoe -D -S "hello@gmail.net" -s "us-leg" -f '.escapeshellarg($from).' -d '.escapeshellarg($to).' '.escapeshellarg($doc_list);
这篇关于exec(),shell_exec()和curl_exec()的安全漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!