I'm writing a web application in which i use several thirdy party commands calling them with the exec
function in PHP (for example, I render Latex formulas through a command-line program).
My question is: what are the security issues of executing external command-line programs in php? What I have to be aware of? Can you give me a list of points to check?
EDIT: I'm aware that I have to clean the user input to prevent executing arbitrary commands... Are there any other things to check?
Thanks in advance.
Be careful to escape any incoming data that you may be putting into the command using escapeshellarg().
Using absolute paths to the executable of your choice minimizes the risk of the PHP script calling the wrong file.
Other than that, I fail to see what the fuss in some of the other answers is about - after all, you are not talking about letting users execute arbitrary commands. (Correct me if I'm wrong.) In general, executing external commands from PHP is a perfectly fine practice security-wise IMO.
You need to keep in mind that the programm you call is running with the PHP user's rights and may not be allowed to do everything, but I assume you already know that.
You have to watch out for these things:
- Non-Fixed commands, that means you should supply the command, user input should only be parameters, if at all.
- Parameters that trick the command into executing other commands. Semicolon + command name is a likely candidate for that.
- Escape chars that will trick exec into executing other commands.
- User-uploaded content that will make the command execute other commands, either directly (through some template, include or chaining mechanism) or indirectly through security holes (memory leaks, stack overflows, etc) in the called command.
- Relative paths in parameters. Always try to convert them to absolute paths and compare with a list of allowed paths.
Security mechanisms against exploits are:
- Strict whitelisting of commands, parameters and file/path names.
- Running the command as a specific user with very few privileges.
- Sandboxing the command in a chroot jail.
If other people is allowed to install programs in the base path, you might find yourself not executing what you expect.
Keep in mind you execute these programs with your privileges, so if they get somehow changed, your account might be compromised.
How about using not cleansing your user inputs so they can execute any command they like... such as format ;-)
The biggest concern is that you will be able to execute almost any system command. Therefore at a minimum you need to make sure any input supplied by a user and used in the exec command is properly escaped and validated.
this article has a good explanation:
http://onlamp.com/pub/a/php/2003/08/28/php_foundations.html
Validating the input is extremely underestimated for exec. There are so many possibilities to abuse such commands that you cannot imagine (basic example, have you though about filtering pipes and redirects?).
I would suggest to run the commands in exec in some secure sandbox such that your OS is not visible. However, keep in mind that this is very hard since PHP will run in your OS.
I would strongly suggest running away. Dumping untrusted data on the command line is a little bit risky. Much better to start the external program with fixed arguments and pass data to it. You may also need to have more permissions for the PHP interpreter than you would like or make the program whatsit-bit set, neither of which particularly appeals to me.