exec() security

Question

I am trying to add security of GET query to exec function.

If I remove escapeshellarg() function, it work fine. How to fix this issue?

ajax_command.php

<?php
$command = escapeshellarg($_GET['command']);
exec("/usr/bin/php-cli " . $command);
?>

Assume $_GET['command'] value is run.php -n 3

What security check I can also add?

Answer 1

You want escapeshellcmd (escape a whole command, or in your case, sequence of arguments) instead of escapeshellarg (escape just a single argument).

Notice that although you have taken special precautions, this code allows anyone to execute arbitrary commands on your server anyways, by specifying the whole php script in a -r option. Note that php.ini can not be used to restrict this, since the location of it can be overwritten with -c. In short (and with a very small error margin): This code creates a severe security vulnerability.

Answer 2

It will fail unless there's a file called run.php -n 3. You don't want to escape a single argument, you want to escape a filename and arguments.

This is not the proper way to do this. Have a single PHP script run all your commands for you, everything specified in command line arguments. Escape the arguments and worry about security inside that PHP file.

Or better yet, communicate through a pipe.

Answer 3

escapeshellarg returns a quoted value, so if it contains multiple arguments, it won't work, instead looking like a single stringesque argument. You should probably look at splitting the command up into several different parameters, then each can be escaped individually.