PHP File Injection?

Question

I have a script that calls a bash script that does some processing, but the script calls the bash script using user inputed data.

I am wondering if there is a way to make sure the person (it's a file upload) doesn't append like ;cd /;rm -rf * to the end of the file. Or anything else like that. Would a normal MYSQL Injection methods work? Is there a better alternative?

Answer 1

Securing this process is a two-way procedure:

1. ensuring the input meets some criteria (especially on maximum types)
2. ensuring the input cannot leak and change the process itself

Let's say I'm passing a number to a program...

$num = $_GET['num']; // get the input
$num = (int)$_GET['num']; // ensure it is an integer
$num = max($num, 0); // ensure it is at least 0
$num = min($num, 800); // ensure it is at most 800

$num = escapeshellarg($num); // this is overkill at this point, but you never know

exec('command '.$num);

As advised above, you can also have your own little language to do this but...

1. it may still be vulnerable
2. it may be overkill for a simple task
3. it is just an advanced version of the filter system

Finally, there's another alternative. There are functions that accept the command and parameters as separate arguments, such as popen() (you can push command arguments through pipes). But this depends on implementation.

Answer 2

Did you check escapeshellcmd() and escapeshellarg() or am I missing the point?

Answer 3

Being able to inject shell commands would be ... shell command injection, and neither file nor SQL injection. To secure against it, use escapeshellarg:

exec('bash bash-script ' . escapeshellarg($userInput));