exec()，shell_exec()和curl_exec()的安全漏洞 [英] Security vulnerability with exec(), shell_exec(), curl_exec()

问题描述

有时，我使用exec()，shell_exec()和curl_exec().以下是典型用途.假设我在其中的任何地方都有一个PHP变量(即第一个中的$ html)，那么用户就有可能修改其内容.

从安全漏洞的角度来看，我应该关注什么?escapeshellcmd()和escapeshellarg()是答案，如果可以的话，应该在哪里使用?

  $ cmd ='echo"html +'.$ html.'" | |htmldoc --format pdf>'.$文件名;$ cmd ='/usr/bin/convert'.$ docs.''.$文件名;$ cmd ='HOME ='.$ dir.';/usr/bin/libreoffice3.5 --headless -convert-to pdf --outdir'.$ dir.''.$ file_org;$ cmd ='wget -O'.$ file_org.''.$ url.'"';$ cmd ='/opt/wkhtmltopdf/bin/wkhtmltopdf'.$ url.'"'.$ paramaters;$ cmd ='/usr/bin/php -q'.$ worker.''.$ session_id.'>/dev/null&';exec($ cmd);$ cmd ='sendfax -n -m -w -i'.$ id.'-o JohnDoe -D -S"hello@gmail.net" -s我们的腿" -f'.$ from.'" -d'.$ to.'"'.$ doc_list;$ cmd ="faxstat -s | grep \" ^ $ jid \";$输出= shell_exec($ cmd);$ ch = curl_init();curl_setopt($ ch，CURLOPT_URL，$ url);curl_setopt($ ch，CURLOPT_USERAGENT，$ _GET ['user_agent']?$ _GET ['user_agent']:$ _SERVER ['HTTP_USER_AGENT']));curl_setopt($ ch，CURLOPT_POSTFIELDS，array('aaa'=> $ aaa，'bbb'=> $ bbb));$ result = curl_exec($ ch); 

解决方案

如果您没有正确验证和/或转义输入值，则任何人都可以代表运行PHP的用户在系统上执行任意命令./p>

对于命令参数，有 escapeshellarg .确保您转义整个参数值，例如:

  $ cmd ='echo'.escapeshellarg('html +'.$ html).'|htmldoc --format pdf>'.escapeshellarg($ filename);$ cmd ='/usr/bin/convert'.escapeshellarg($ docs).''.escapeshellarg($ filename);//[…]$ cmd ='sendfax -n -m -w -i'.escapeshellarg($ id).'-o JohnDoe -D -S"hello@gmail.net" -s我们的腿" -f'.escapeshellarg($ from).'-d'.escapeshellarg($ to).''.escapeshellarg($ doc_list); 

Occasionally, I use exec(), shell_exec(), and curl_exec(). Below are typical uses. Assume that where ever I have a PHP variable in them (i.e. $html in the first one), there is a chance that the user has the ability to modify its content.

What should I be concerned about from a security vulnerability perspective? Is escapeshellcmd() and escapeshellarg() the answer, and if so where should it be used?

$cmd='echo "html + '.$html.'" | htmldoc --format pdf > '.$filename;
$cmd='/usr/bin/convert '.$docs.' '.$filename;
$cmd='HOME='.$dir.'; /usr/bin/libreoffice3.5 --headless -convert-to pdf --outdir '.$dir.' '.$file_org;
$cmd='wget -O '.$file_org.' "'.$url.'"';
$cmd='/opt/wkhtmltopdf/bin/wkhtmltopdf "'.$url.'" '.$paramaters;
$cmd='/usr/bin/php -q '.$worker.' '.$session_id.' >/dev/null &';
exec($cmd);

$cmd='sendfax -n -m -w -i '.$id.' -o JohnDoe -D -S "hello@gmail.net" -s "us-leg" -f "'.$from.'" -d "'.$to.'" '.$doc_list;
$cmd = "faxstat -s | grep \"^$jid \"";
$output = shell_exec($cmd);

$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_USERAGENT, $_GET['user_agent'] ? $_GET['user_agent'] : $_SERVER['HTTP_USER_AGENT'] );
curl_setopt($ch,CURLOPT_POSTFIELDS,array('aaa'=>$aaa,'bbb'=>$bbb));
$result = curl_exec($ch);

解决方案

If you don’t validate and/or escape the input values properly, anyone can execute arbitrary commands on your system in behalf of the user that runs PHP.

For command arguments, there is escapeshellarg. Make sure you escape the whole argument value, e.g.:

$cmd='echo '.escapeshellarg('html + '.$html).' | htmldoc --format pdf > '.escapeshellarg($filename);
$cmd='/usr/bin/convert '.escapeshellarg($docs).' '.escapeshellarg($filename);
// […]
$cmd='sendfax -n -m -w -i '.escapeshellarg($id).' -o JohnDoe -D -S "hello@gmail.net" -s "us-leg" -f '.escapeshellarg($from).' -d '.escapeshellarg($to).' '.escapeshellarg($doc_list);

这篇关于exec()，shell_exec()和curl_exec()的安全漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！