Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 7:05 AM, David OBrien dgobr...@gmail.com wrote:
Find a way to do it using PHP's imagemagick extensions
http://php.net/manual/en/book.imagick.php
On Fri, Mar 30, 2012 at 5:56 AM, rene7705 rene7...@gmail.com wrote:
Hi.
I have a script that uses imagemagick's convert command on the commandline
to get it's work done.
These calls to exec('convert [params]') take params from the end-user via a
html form, so is very unsecure.
The intention is that the end-user only runs this script on localhost, from
localhost.
So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to
see if I can allow the script to be used.
But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and
$_SERVER['SERVER_ADDR'] is my internal IP.
How would I best fix this?
I, too, would suggest you use the PHP extensions rather than shell out
a command for various reasons, security being possibly the highest.
There is also the cost of another process on the box, and doing the
translation in and out.
And David, please bottom post responses.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
On Sat, Mar 31, 2012 at 1:37 AM, rene7705 rene7...@gmail.com wrote: escapeshellcmd() seems simplest. It might be if all you care about are shell meta characters, and admittedly it will save you from someone entering rm -rf / in your input field. But dealing with generic user input, even escaped, can still be problematic. Say you want to let the user set the size of the output file, and the user enters a bunch of letters instead of a geometry. Do you really want to have to deal with all the possible ramifications of such GIGO stuff? Better to vet the data, untaint it, and deal with it that way. When you've gone to all that, you're almost all the way to where you need to be to use the library functions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] securing a script that exec()s
Hi.
I have a script that uses imagemagick's convert command on the commandline
to get it's work done.
These calls to exec('convert [params]') take params from the end-user via a
html form, so is very unsecure.
The intention is that the end-user only runs this script on localhost, from
localhost.
So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to
see if I can allow the script to be used.
But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and
$_SERVER['SERVER_ADDR'] is my internal IP.
How would I best fix this?
Re: [PHP] securing a script that exec()s
Bastien Koert
On 2012-03-30, at 5:56 AM, rene7705 rene7...@gmail.com wrote:
Hi.
I have a script that uses imagemagick's convert command on the commandline
to get it's work done.
These calls to exec('convert [params]') take params from the end-user via a
html form, so is very unsecure.
The intention is that the end-user only runs this script on localhost, from
localhost.
So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to
see if I can allow the script to be used.
But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and
$_SERVER['SERVER_ADDR'] is my internal IP.
How would I best fix this?
Validate the data?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
Find a way to do it using PHP's imagemagick extensions
http://php.net/manual/en/book.imagick.php
On Fri, Mar 30, 2012 at 5:56 AM, rene7705 rene7...@gmail.com wrote:
Hi.
I have a script that uses imagemagick's convert command on the commandline
to get it's work done.
These calls to exec('convert [params]') take params from the end-user via a
html form, so is very unsecure.
The intention is that the end-user only runs this script on localhost, from
localhost.
So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to
see if I can allow the script to be used.
But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and
$_SERVER['SERVER_ADDR'] is my internal IP.
How would I best fix this?
Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: ... But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and $_SERVER['SERVER_ADDR'] is my internal IP. How would I best fix this? Simply log on your box via ssh (if its a unix system) and run your script from console or with textmode browser lynx. But the best solution would be to secure the exec call. -- Regards, Peter Bauer PHP developer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
Sender: dgobr...@gmail.com
Subject: Re: [PHP] securing a script that exec()s
Message-Id: CAF=yD_3efQkA_kz169ooYQ2z7g=g75sjghadnvw+irjzp8q...@mail.gmail.com
Recipient: adam.nicho...@hl.co.uk
__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__---BeginMessage---
Find a way to do it using PHP's imagemagick extensions
http://php.net/manual/en/book.imagick.php
On Fri, Mar 30, 2012 at 5:56 AM, rene7705 rene7...@gmail.com wrote:
Hi.
I have a script that uses imagemagick's convert command on the commandline
to get it's work done.
These calls to exec('convert [params]') take params from the end-user via a
html form, so is very unsecure.
The intention is that the end-user only runs this script on localhost, from
localhost.
So now i'm checking $_SERVER['REMOTE_ADDR']===$_SERVER['SERVER_ADDR'] to
see if I can allow the script to be used.
But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and
$_SERVER['SERVER_ADDR'] is my internal IP.
How would I best fix this?
---End Message---
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] securing a script that exec()s
On Fri, Mar 30, 2012 at 3:16 PM, Peter Bauer p...@archivum.info wrote: On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: ... But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and $_SERVER['SERVER_ADDR'] is my internal IP. How would I best fix this? Simply log on your box via ssh (if its a unix system) and run your script from console or with textmode browser lynx. But the best solution would be to secure the exec call. How would I best secure the exec call?
Re: [PHP] securing a script that exec()s
On Mar 30, 2012, at 9:25 AM, rene7705 wrote: On Fri, Mar 30, 2012 at 3:16 PM, Peter Bauer p...@archivum.info wrote: On Fri, Mar 30, 2012 at 11:56:41AM +0200, rene7705 wrote: ... But unfortunately, $_SERVER['REMOTE_ADDR'] is my external IP, and $_SERVER['SERVER_ADDR'] is my internal IP. How would I best fix this? Simply log on your box via ssh (if its a unix system) and run your script from console or with textmode browser lynx. But the best solution would be to secure the exec call. How would I best secure the exec call? What would the form input look like? Mike Mackintosh PHP, the drug of choice - www.highonphp.com
