30595

Security of executing a command from php

Question:

I'm writing a web application in which i use several thirdy party commands calling them with the exec function in PHP (for example, I render Latex formulas through a command-line program).

My question is: what are the security issues of executing external command-line programs in php? What I have to be aware of? Can you give me a list of points to check?

EDIT: I'm aware that I have to clean the user input to prevent executing arbitrary commands... Are there any other things to check?

Thanks in advance.

Answer1:

Be careful to escape any incoming data that you may be putting into the command using <a href="http://www.php.net/escapeshellarg" rel="nofollow">escapeshellarg()</a>.

Using absolute paths to the executable of your choice minimizes the risk of the PHP script calling the wrong file.

Other than that, I fail to see what the fuss in some of the other answers is about - after all, you are not talking about letting users execute arbitrary commands. (Correct me if I'm wrong.) In general, executing external commands from PHP is a perfectly fine practice security-wise IMO.

You need to keep in mind that the programm you call is running with the PHP user's rights and may not be allowed to do everything, but I assume you already know that.

Answer2:

You have to watch out for these things:

<ul><li>Non-Fixed commands, that means <em>you</em> should supply the command, user input should only be parameters, if at all. </li> <li>Parameters that trick the command into executing other commands. Semicolon + command name is a likely candidate for that.</li> <li>Escape chars that will trick exec into executing other commands.</li> <li>User-uploaded content that will make the command execute other commands, either directly (through some template, include or chaining mechanism) or indirectly through security holes (memory leaks, stack overflows, etc) in the called command. </li> <li>Relative paths in parameters. Always try to convert them to absolute paths and compare with a list of allowed paths.</li> </ul>

Security mechanisms against exploits are:

<ul><li>Strict whitelisting of commands, parameters and file/path names.</li> <li>Running the command as a specific user with very few privileges.</li> <li>Sandboxing the command in a chroot jail.</li> </ul>

Answer3:

If other people is allowed to install programs in the base path, you might find yourself not executing what you expect.

Keep in mind you execute these programs with your privileges, so if they get somehow changed, your account might be compromised.

Answer4:

How about using not cleansing your user inputs so they can execute any command they like... such as format ;-)

Answer5:

The biggest concern is that you will be able to execute almost any system command. Therefore at a minimum you need to make sure any input supplied by a user and used in the exec command is properly escaped and validated.

this article has a good explanation:

<a href="http://onlamp.com/pub/a/php/2003/08/28/php_foundations.html" rel="nofollow">http://onlamp.com/pub/a/php/2003/08/28/php_foundations.html</a>

Answer6:

Validating the input is extremely underestimated for exec. There are so many possibilities to abuse such commands that you cannot imagine (basic example, have you though about filtering pipes and redirects?).

I would suggest to run the commands in exec in some secure sandbox such that your OS is not visible. However, keep in mind that this is very hard since PHP will run in your OS.

Answer7:

I would strongly suggest running away. Dumping untrusted data on the command line is a little bit risky. Much better to start the external program with fixed arguments and pass data to it. You may also need to have more permissions for the PHP interpreter than you would like or make the program whatsit-bit set, neither of which particularly appeals to me.

Recommend

  • Formula to remove entire words that start with certain characters
  • Stop a background process in flask without creating zombie processes
  • Android: Button background XML sometimes loses alpha when setting color filter
  • Numpy “:” operator broadcasting issues
  • How do I create closures for model getter-setter in angular?
  • Shortest route between multiple points in mapkit for iphone app
  • ZeroMQ poll thread safety
  • How clojure map and keyword could be a function [duplicate]
  • How will Roslyn help me in avoiding a recompile to deploy changes to my ASP.NET website?
  • Create ranking for vector of double
  • How to upload file on another domain?
  • How concerned should we be about thread safety with JSF managed beans?
  • Allocating a 2D contiguous array within a function
  • Refactoring advice: maps to POJOs
  • Generic/Unknown HTTP Error with response code 0 using UnityWebRequest
  • Security issues with PHP's Readfile method
  • Web.config system.webserver errors
  • Query to find the duplicates between the name and number in table
  • Assign variable to the value in HTML
  • Eloquent update method change created_at timestamp
  • onBackPressed() not being executed
  • Asynchronous UI Testing in Xcode With Swift
  • How to make a tree having multiple type of nodes and each node can have multiple child nodes in java
  • Sony Xperia Z Tablet not found by adb
  • How to recover from a Spring Social ExpiredAuthorizationException
  • Cassandra Data Model
  • Arrow is showed instead of the material design version hamburger icon. Why doesn't syncState in
  • How can I use Kendo UI with Razor?
  • ActionScript 2 vs ActionScript 3 performance
  • How can I estimate amount of memory left with calling System.gc()?
  • Function pointer “assignment from incompatible pointer type” only when using vararg ellipsis
  • Delete MySQLi record without showing the id in the URL
  • 0x202A in filename: Why?
  • SQL merge duplicate rows and join values that are different
  • Codeigniter doesn't let me update entry, because some fields must be unique
  • Hits per day in Google Big Query
  • What are the advantages and disadvantages of reading an entire file into a single String as opposed
  • File not found error Google Drive API
  • Programmatically clearing map cache
  • How to get NHibernate ISession to cache entity not retrieved by primary key