NYCPHP Meetup

NYPHP.org

[nycphp-talk] escapeshellcmd stupidity?

Edward Potter edwardpotter at gmail.com
Fri Jan 2 12:23:46 EST 2009


Plan B.
THINGS an AMAZING GTD application that sync's up with your iPhone.
They seem to have FINALLY got it right.  :-)  ed

http://culturedcode.com/things/





On Fri, Jan 2, 2009 at 12:05 PM, Allen Shaw <ashaw at polymerdb.org> wrote:
> Hi All,
>
> I have a shell script that manages my todo list, and I'd like to access it
> through the Web as well, for convenience when I'm traveling.  ssh is not
> ideal here, since Web gives me access from any machine without downloading
> PuTTY, for example.  Basic auth seems enough to protect my todo list from
> abuse, but the stakes get higher when we consider that I'm accepting shell
> script arguments over the web -- poor security could easily lead to
> arbitrary code being passed to the shell.
>
> Can anyone here comment on the wisdom of relying on escapeshellcmd() in a
> situation like this?  For example:
> <?
>   $script_path = '/path/to/shell/script';
>   shell_exec(escapeshellcmd("$script_path {$_POST['user_input']}"));
> ?>
>
> It looks right to me, and I've confirmed that it "works," but I can't test
> to confirm it's "safe."  I'd appreciate it if someone more experienced could
> tell me if this is just a Bad Idea.
>
> Thanks,
> Allen
>
> --
> Allen Shaw
> slidePresenter (http://slides.sourceforge.net)
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>



-- 
IM/iChat: ejpusa
Links: http://del.icio.us/ejpusa
Blog: http://www.preceptress.com/blog
Follow me: http://www.twitter.com/ejpusa
Karma: http://www.coderswithconscience.com
Projects: http://flickr.com/photos/86842405@N00/
Store: http://astore.amazon.com/httpwwwutopic-20



More information about the talk mailing list