ID: 40030 Updated by: [EMAIL PROTECTED] Reported By: admin at digibase dot ca -Status: Open +Status: Bogus Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5.2.1RC2 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. The command in backtics is processed before it even reaches PHP. Backticks are execution elements on shell as well. Previous Comments: ------------------------------------------------------------------------ [2007-01-05 17:57:06] admin at digibase dot ca correction: php ./script.php "blah `exec'd command`" ------------------------------------------------------------------------ [2007-01-05 17:56:04] admin at digibase dot ca Here's the code that's executed via the cli: <? $text = $argv[1]; $text = escapeshellarg(escapeshellcmd(strtolower($text))); echo $text; ?> here's the command: php ./script.php blah `exec'd command` ------------------------------------------------------------------------ [2007-01-05 15:25:23] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. passing `rm` to escapeshellarg() encloses the text in single quotes, preventing it from being executed. ------------------------------------------------------------------------ [2007-01-05 11:38:51] admin at digibase dot ca I was unclear on the situation - This is code being executed from IRC via the CLI, when someone per-se says "status `rm`" it actually tries doing that specific code. ------------------------------------------------------------------------ [2007-01-05 11:36:08] admin at digibase dot ca Description: ------------ Whenever I attempt to escape any code, backticks still execute without a problem - whenever I execute it from the CLI (Where I want it to execute from), it accepts injection no matter WHAT I do It seems as if there's only one way to disable this, which is enable safe mode, however, that presents problems, it disables functions I want enabled and causes problems on the webserver attached. Reproduce code: --------------- $text = escapeshellarg(escapeshellcmd(strtolower($text))); Expected result: ---------------- Filter out and prevent injection of arbitary code while sending the clean text on for processing in an if/elseif/else tree Actual result: -------------- When run like php ./script status && `rm` rm actually decides to run. not under privledges but it can cause damage ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40030&edit=1