-
Notifications
You must be signed in to change notification settings - Fork 788
/
Copy pathescapeshellcmd.xml
139 lines (130 loc) · 3.99 KB
/
escapeshellcmd.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<!-- splitted from ./en/functions/exec.xml, last change in rev 1.2 -->
<refentry xml:id="function.escapeshellcmd" xmlns="http://docbook.org/ns/docbook">
<refnamediv>
<refname>escapeshellcmd</refname>
<refpurpose>Escape shell metacharacters</refpurpose>
</refnamediv>
<refsect1 role="description">
&reftitle.description;
<methodsynopsis>
<type>string</type><methodname>escapeshellcmd</methodname>
<methodparam><type>string</type><parameter>command</parameter></methodparam>
</methodsynopsis>
<para>
<function>escapeshellcmd</function> escapes any characters in a
string that might be used to trick a shell command into executing
arbitrary commands. This function should be used to make sure
that any data coming from user input is escaped before this data
is passed to the <function>exec</function> or
<function>system</function> functions, or to the <link
linkend="language.operators.execution">backtick
operator</link>.
</para>
<para>
Following characters are preceded by a backslash:
<literal>&#;`|*?~<>^()[]{}$\</literal>, <literal>\x0A</literal>
and <literal>\xFF</literal>. <literal>'</literal> and <literal>"</literal>
are escaped only if they are not paired. On Windows, all these characters
plus <literal>%</literal> and <literal>!</literal> are preceded by a caret
(<literal>^</literal>).
</para>
</refsect1>
<refsect1 role="parameters">
&reftitle.parameters;
<para>
<variablelist>
<varlistentry>
<term><parameter>command</parameter></term>
<listitem>
<para>
The command that will be escaped.
</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</refsect1>
<refsect1 role="returnvalues">
&reftitle.returnvalues;
<para>
The escaped string.
</para>
</refsect1>
<refsect1 role="examples">
&reftitle.examples;
<para>
<example>
<title><function>escapeshellcmd</function> example</title>
<programlisting role="php">
<![CDATA[
<?php
// We allow arbitrary number of arguments intentionally here.
$command = './configure '.$_POST['configure_options'];
$escaped_command = escapeshellcmd($command);
system($escaped_command);
?>
]]>
</programlisting>
</example>
</para>
</refsect1>
<refsect1 role="notes">
&reftitle.notes;
<warning xmlns="http://docbook.org/ns/docbook">
<para>
<function>escapeshellcmd</function> should be used on the whole
command string, and it still allows the attacker to pass
arbitrary number of arguments. For escaping a single argument
<function>escapeshellarg</function> should be used instead.
</para>
</warning>
<warning xmlns="http://docbook.org/ns/docbook">
<para>
Spaces will not be escaped by <function>escapeshellcmd</function>
which can be problematic on Windows with paths like:
<literal>C:\Program Files\ProgramName\program.exe</literal>.
This can be mitigated using the following code snippet:
<programlisting role="php">
<![CDATA[
<?php
$cmd = preg_replace('`(?<!^) `', '^ ', escapeshellcmd($cmd));
]]>
</programlisting>
</para>
</warning>
</refsect1>
<refsect1 role="seealso">
&reftitle.seealso;
<para>
<simplelist>
<member><function>escapeshellarg</function></member>
<member><function>exec</function></member>
<member><function>popen</function></member>
<member><function>system</function></member>
<member><link linkend="language.operators.execution">backtick operator</link></member>
</simplelist>
</para>
</refsect1>
</refentry>
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"~/.phpdoc/manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->