63 lines
1.2 KiB
Plaintext
63 lines
1.2 KiB
Plaintext
include::../description.adoc[]
|
|
|
|
== Noncompliant Code Example
|
|
|
|
An arbitrary command can be executed:
|
|
|
|
----
|
|
$cmd = $_GET["cmd"];
|
|
|
|
// If the command "/sbin/shutdown" is executed and the web server is running as root,
|
|
// then the machine running the web server will be shut down and become unavailable for future requests
|
|
|
|
exec($cmd); // Noncompliant
|
|
----
|
|
|
|
Shell meta-characters can be used to execute additional commands in PHP functions that execute commands:
|
|
|
|
----
|
|
$arg = $_GET["arg"];
|
|
|
|
// the attacker can perform: "argvalue | /sbin/shutdown"
|
|
|
|
exec("/usr/bin/cat ".$arg); // Noncompliant
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
Restrict the command to be executed with an allowlist:
|
|
|
|
----
|
|
$cmd = $_GET["cmd"];
|
|
|
|
if ($cmd === "/usr/bin/stat" || $cmd === "/usr/bin/cat") {
|
|
exec($cmd." /tmp/test.txt", $output);
|
|
}
|
|
----
|
|
|
|
Use `escapeshellarg` to escape shell meta-characters from a specific argument:
|
|
|
|
----
|
|
|
|
$arg = $_GET["arg"];
|
|
|
|
exec("/usr/bin/cat ".escapeshellarg($arg));
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::../message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::../comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|