ID: 40030 User updated by: admin at digibase dot ca Reported By: admin at digibase dot ca -Status: Feedback +Status: Open Bug Type: Scripting Engine problem Operating System: Linux PHP Version: 5.2.1RC2 New Comment:
Here's the code that's executed via the cli: <? $text = $argv[1]; $text = escapeshellarg(escapeshellcmd(strtolower($text))); echo $text; ?> here's the command: php ./script.php blah `exec'd command` Previous Comments: ------------------------------------------------------------------------ [2007-01-05 15:25:23] [EMAIL PROTECTED] Thank you for this bug report. To properly diagnose the problem, we need a short but complete example script to be able to reproduce this bug ourselves. A proper reproducing script starts with <?php and ends with ?>, is max. 10-20 lines long and does not require any external resources such as databases, etc. If the script requires a database to demonstrate the issue, please make sure it creates all necessary tables, stored procedures etc. Please avoid embedding huge scripts into the report. passing `rm` to escapeshellarg() encloses the text in single quotes, preventing it from being executed. ------------------------------------------------------------------------ [2007-01-05 11:38:51] admin at digibase dot ca I was unclear on the situation - This is code being executed from IRC via the CLI, when someone per-se says "status `rm`" it actually tries doing that specific code. ------------------------------------------------------------------------ [2007-01-05 11:36:08] admin at digibase dot ca Description: ------------ Whenever I attempt to escape any code, backticks still execute without a problem - whenever I execute it from the CLI (Where I want it to execute from), it accepts injection no matter WHAT I do It seems as if there's only one way to disable this, which is enable safe mode, however, that presents problems, it disables functions I want enabled and causes problems on the webserver attached. Reproduce code: --------------- $text = escapeshellarg(escapeshellcmd(strtolower($text))); Expected result: ---------------- Filter out and prevent injection of arbitary code while sending the clean text on for processing in an if/elseif/else tree Actual result: -------------- When run like php ./script status && `rm` rm actually decides to run. not under privledges but it can cause damage ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40030&edit=1
