Filter var for calling a shellscript with system o

2019-07-26 21:05发布

问题:

i need to filter those var to call system in php and execute a shell script. What filter_var SANITIZE macro i need to use to remove ";" or problems during shell execution? Like unwanted chars..etc..etc

This is my code testing example, now i've hardcoded the var for testing.. Thanks!

$ragionesociale = $_GET["ragionesociale"]; /* Alphanumeric with spaces next trimmed*/
$api = $_GET["ragionesociale"]; /* Uri with space encoded*/
$sito = $_GET["sito"]; /* Uri with space encoded*/
$meta = $_GET["meta"]; /*Address, CF, a lot of things...*/
$tmp_dir = "tmp_app";


if(!filter_has_var(INPUT_GET, "ragionesociale") ||
   !filter_has_var(INPUT_GET, "sito") ||
   !filter_has_var(INPUT_GET, "meta") ||
   !filter_has_var(INPUT_GET, "api")
){  
 echo("Input type does not exist");
 exit();
}

 system("../configmyapp2.sh ".$ragionesociale." ".$api." ".$sito." ".$meta." ".$tmp_dir);

回答1:

http://php.net/manual/en/function.escapeshellarg.php

Pass your command line parameters through this and you're safe ;) Also I'd recommend you use exec() instead of system() or even shell_exec() because you'll be able to get the return value from your script as well as any text output which you may want to use.



回答2:

If this can be triggered by other users then I would not go by this method.

Its very dangerous, especially with your multiple parameters and sanitization rules.



回答3:

You might be interested in escapeshellarg().

escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user input. The shell functions include exec(), system() and the backtick operator.


回答4:

There is no built-in sanitization filter that can do this; however, you can fake it with FILTER_CALLBACK and escapeshellarg like this:

$var = filter_var($input, FILTER_CALLBACK, array('options' => 'escapeshellarg'));