检测危险的 unix 命令行元字符 [英] detecting dangerous unix command line metacharacters
问题描述
我正在开发一个 Web 应用程序,该应用程序具有一些 api 调用,可以发送命令行操作的参数.例如,(使用 jquery),一个 api 调用如:
I'm working on a web application that has some api calls that send arguments for command line operations. For example, (using jquery), an api call like:
$.get('/api',{
function:function_1,
data:data
},funcion(){},'text')
可能会执行如下命令行:
might execute a command line like:
php a.php data
这样的话,如果数据的内容是"whatever;rm -rf *;"
,就会执行两条命令
in that case, if the content of data was "whatever;rm -rf *;"
, two commands would be executed
php a.php watever;
rm -rf *;
我不想冒这个险.
我的问题不是检测字符是否是数据字符串的一部分,我的问题是知道我应该查找哪些字符?
My problem is not detecting when a character is part of the data string, my problem is knowing which chars should I look for?
我正在添加一个 shell 命令元字符列表.请说明哪些字符有风险,哪些字符组合(如果有)有风险.
I'm adding a list of shell command metacharacters. Please specify which characters are risky and which combination of characters (if any) are risky.
注意:摘自:http://www.fmrib.ox.ac.uk/fslcourse/unix_intro/shell.html
shell 元字符包括:
The shell meta characters include:
\/<> !$ % ^ &* |{ } [ ] " ' ` ~ ;
\ / < > ! $ % ^ & * | { } [ ] " ' ` ~ ;
注意 2:可能还有其他字符,如果你知道另一个添加它或评论,我会添加它.
NOTE 2: There may be other characters, please, if you know another add it or comment and I'll add it.
注意 3:我的问题类似于 sql 注入可能发生的情况.当有人在搜索文本框中添加隐藏查询时,但就我而言,问题出在 shell 命令上.要防止 sql 注入,您可以查看 this.
NOTE 3: My problem is similar to what might happen with sql injection. when someone adds hidden querys inside search text-boxes, but in my case, the problem is with shell commands. To prevent sql injection you can look at this.
推荐答案
这正是 escapeshellarg
的用途.
http://www.php.net/manual/en/function.escapeshellarg.php
这篇关于检测危险的 unix 命令行元字符的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!