Reputation: 45
Is this usage of exec() safe when using escapeshellarg()?
I have this code :
$path = "/somedirectory/$user";
echo exec('du -s '.escapeshellarg($path));
This code is used to check how many space the user use in his directory. The $user value can be any alphanumeric value and ".-"
Is it safe to use it ?
Upvotes: 1
Views: 386
Answers (3)
Reputation: 655229
escapeshellarg ensures that the value is interpreted as a single, plain shell argument without further shell expansion (e. g., no `…`, $(…), ${…}, etc.). That means that any value in $path is passed as is as a single argument to du.
However, as already mentioned, it does not prevent from passing arguments that may be malicious when interpreted by the executable.
Upvotes: 2
Reputation: 98
Safe if only your exec does not rely on any $user related commands.
For example, $user . "/du -s " is absolutely unsafe.
Upvotes: 0
Reputation: 3328
This is safe in the sense that it won't run arbitrary commands, but depending on how $user gets set, .. could sneak in there, which would let whoever is looking at this to see the size of the / directory, which may or may not be of concern to you.
Upvotes: 1
Related Questions
- Securing user input with escapeshellarg()
- php - Escape php variables in exec()
- PHP shell_exec - Is it ever safe?
- Safe use exec with php
- This exec() is secure?
- Is it secure to use exec() PHP
- Safety of having exec() enabled
- exec() security
- php's escapeshellarg not working with exec (string not encapsulated in quotes)
- Is PHP exec safe?