I would like to interface a php page to the linux command line program ping.
I realize that there are sanitation issues. Is there a builtin library or function that can take care of everything, or will I have to rely on regex parsers?
Do you mean escapeshellcmd and escapeshellarg?
do you mean to sanitize variable http://php.net/filter_var ?
good tutorial
http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html
Related
I could not find the reason why my request fail for the following
My php code is:
if (isset($_COOKIE["user"])) {
echo '<p><h3><strong>Welcome '.$_COOKIE["param"].'</strong></h3></p>'; .....
When i request exec('ls -al') as param , the php code did not run the command.
On the response of the request it was like parameterized:
Welcome exec('ls -al')
What may the reason that failed this execution?
$_COOKIE["param"] is a string. You are echoing it. It is not supposed to run anything.
If you wanted to run a command in your PHP, you would have to use eval(). But as for running a command from a cookie value:
DON'T DO IT!
So you're saying that the value of $_COOKIE['param'] is exec('ls -al'), and you're expecting that to run when you echo it out?
That's not how it works. The value of that cookie will be the string value "exec('ls -al')", not the result of the executed code. If you think about it for a second, you'll understand why it would be a bad idea for a cookie to be able to auto-execute code.
It's not really a great idea to be running random commands through exec() anyway, especially if that input came from a user (which cookies do - the user can and will change them to try to attack you).
Instead, you should be using other input that your code can interpret as a signal to run certain code. For example, you could have the param value hold the string list files, and your code would see that value and run exec('ls -al') for you.
You still shouldn't be execing code to do this though, since it's very easy to accidentally run dangerous commands that way. Instead, you should use PHP's built-in functions as much as possible, and only after sanitizing your inputs and only running known values.
For your case, PHP has a bunch of functions that let you interact with the filesystem of your server. Use those to get a list of files on the system instead.
I would like to execute a string as if it were PHP code.
An example would be:
$string='round(24.6,2)';
I would like to convert $string to executable syntax. Is there a way to do this?
eval()
is the function you want. But: eval() is evil!
You can use eval('round(24.6,2)'), but this is usually frowned upon for multiple reasons. Why do you want to do this?
I'm writing a PHP library that will need to reach out to the system and access a command line program that doesn't have a PHP interface (or PHP library). As such, I was wondering what is the best (and the safest way) to access the system to retrieve output from a CLI program? I've taken a look at both system() and exec(), but still not sure which is the best to use in a situation like this.
The library will get a string of user-passed text, and transmit it to the command line, retrieving back another string of text. Obviously, with passing user-provided data to the CLI, I will be doing a verification to ensure that no executable data can be passed.
I would suggest shell_exec() together with escapeshellcmd() and escapeshellarg().
To clarify (I was on the go when I first posted this answer): The right way to secure a shell command is:
$exe = 'cat';
$args = array('/etc/passwd');
$args = array_map('escapeshellarg', $args);
$escaped = escapeshellcmd($exe . ' ' . implode(' ', $args));
Here's a legitimate demo (and a nefarious demo as well) of the above code.
The above is just a dummy example, of course. But the main idea is that you apply escapeshellarg() to each argument and then call escapeshellcmd() on the whole command string (including the path to the executable and the previously escaped arguments). This is critical in arbitrary commands.
Note: By secure, I mean making it impossible to perform shell injection attacks by escaping characters that have special meaning like >, <, &&, | and more (see the Wikipedia link) while at the same time properly quoting spaces and other characters that may also have special interpretations by the shell.
With that aside, if you're already white-listing all the commands allowed, you already have the best possible security and you don't need the above functions (althought it doesn't hurt to use them anyway).
Regarding the actual calling function, they all pretty much do the same thing with a few quirks. Personally, I prefer shell_exec() since its return value is more versatile (from this page):
exec(): returns the last line of output from the command and flushes nothing.
shell_exec(): returns the entire output from the command and flushes nothing.
system(): returns the last line of output from the command and tries to flush the output buffer after each line of the output as it goes.
passthru(): returns nothing and passes the resulting output without interference to the browser, especially useful when the output is in binary format.
Except from the system() exit return code, you can mimic the behavior of all the other functions with the return value of shell_exec(). However, the inverse it's either harder to do, or just not possible.
I hope this clears things up for you.
Ideally, you would use passthru() from a pre-defined list of possible inputs (so that if user input == 'operation_a' you can { passthru('operation_a'); } without worrying about sanitizing input). Otherwise, use passthru() with some serious sanitation of input. passthru() allows you to capture the output of the command and pass the whole lump back to the browser. This function is particularly useful if you are expecting binary output (like from image generation, &c.).
Say I have a variable containing PHP code, can I include its content as if it was a normal PHP file ?
For example, the PHP code could be a class declaration.
You don't have a variable containing php code. You have a string.
You can execute a string as php with the evil eval function, but puppies AND kittens will die!
eval($your_variable);
Be aware about security holes!This is very dangerous and should NOT be based on user's input !
You could use eval to evaluate any code that you have in your string, however it is evil. What exactly are you trying to do?
I'm storing php functions to a mySQL database from user input, these functions need to be able to be executed.
As we know, this could and will allow Mr hacker to turn a pretty website into Swiss cheese!
These functions are meant to be simple and don't require any advanced php coding. They are more about handling a single array of data.
So if Mr hacker gets into the administrator section id like to filter out any php functions that could do serious damage before saving to the database.
Things like "exec, shell_exec, system, passthru, popen, proc_open, proc_close", anything that can allow outside input like curl need to be removed.
So what else could be dangerous and should be removed?
I found this list as well:
http://blog.eukhost.com/webhosting/dangerous-php-functions-must-be-disabled/
apache_child_terminate
apache_setenv
define_syslog_variables
escapeshellarg
escapeshellcmd
eval
exec
fp
fput
ftp_connect
ftp_exec
ftp_get
ftp_login
ftp_nb_fput
ftp_put
ftp_raw
ftp_rawlist
highlight_file
ini_alter
ini_get_all
ini_restore
inject_code
mysql_pconnect
openlog
passthru
php_uname
phpAds_remoteInfo
phpAds_XmlRpc
phpAds_xmlrpcDecode
phpAds_xmlrpcEncode
popen
posix_getpwuid
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
posix_setuid
posix_uname
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
shell_exec
syslog
system
xmlrpc_entity_decode
You should NEVER run a function that is defined by user input. There are millions of ways that a user could disguise a function name that you can not stop. For example you can save a function name into a variable and run the function with the variable.
<?php
$test = "readfile";
$test("somePageWithDatabasePassword.php");
?>
That is perfectly valid. And if you think you can test for functions run from variables, there are ways around that using chr(), concatenation, hex...etc.
I'm storing php functions to a mySQL database from user input, these functions need to be able to be executed.
This is an awful idea. It'll be very difficult to compile a list of "safe" functions and PHP is full of local vulnerabilities that could be exploited by anyone knowledgeable enough.
Even white-listing would be very difficult; it would be difficult to detect code like $a = 'exe'; $a .= 'c'; $a('echo foo'); would be calling exec. Consider an alternative strategy that doesn't involve storing executable code.
Ive decided to go for something like this:
http://mustache.github.com/#demo
This will allow my users format there data in there own way without direct php code.