reference/exec/functions/escapeshellcmd.xml
1ea4e4f5769f1a173303f95074a91e8537f65133
...
...
@@ -25,10 +25,11 @@
25
25
</para>
26
26
<para>
27
27
Following characters are preceded by a backslash:
28
-
<literal>#&amp;;`|*?~&lt;&gt;^()[]{}$\</literal>, <literal>\x0A</literal>
28
+
<literal>&amp;#;`|*?~&lt;&gt;^()[]{}$\</literal>, <literal>\x0A</literal>
29
29
and <literal>\xFF</literal>. <literal>'</literal> and <literal>"</literal>
30
-
are escaped only if they are not paired. In Windows, all these characters
31
-
plus <literal>%</literal> are replaced by a space instead.
30
+
are escaped only if they are not paired. On Windows, all these characters
31
+
plus <literal>%</literal> and <literal>!</literal> are preceded by a caret
32
+
(<literal>^</literal>).
32
33
</para>
33
34
</refsect1>
34
35

...
...
@@ -63,14 +64,12 @@
63
64
<programlisting role="php">
64
65
<![CDATA[
65
66
<?php
66
-
$e = escapeshellcmd($userinput);
67
+
// We allow arbitrary number of arguments intentionally here.
68
+
$command = './configure '.$_POST['configure_options'];
67
69

68
-
// here we don't care if $e has spaces
69
-
system("echo $e");
70
-
$f = escapeshellcmd($filename);
70
+
$escaped_command = escapeshellcmd($command);
71
71
72
-
// and here we do, so we use quotes
73
-
system("touch \"/tmp/$f\"; ls -l \"/tmp/$f\"");
72
+
system($escaped_command);
74
73
?>
75
74
]]>
76
75
</programlisting>
...
...
@@ -78,6 +77,31 @@ system("touch \"/tmp/$f\"; ls -l \"/tmp/$f\"");
78
77
</para>
79
78
</refsect1>
80
79

80
+
<refsect1 role="notes">
81
+
<warning xmlns="http://docbook.org/ns/docbook">
82
+
<para>
83
+
<function>escapeshellcmd</function> should be used on the whole
84
+
command string, and it still allows the attacker to pass
85
+
arbitrary number of arguments. For escaping a single argument
86
+
<function>escapeshellarg</function> should be used instead.
87
+
</para>
88
+
</warning>
89
+
<warning xmlns="http://docbook.org/ns/docbook">
90
+
<para>
91
+
Spaces will not be escaped by <function>escapeshellcmd</function>
92
+
which can be problematic on Windows with paths like:
93
+
<literal>C:\Program Files\ProgramName\program.exe</literal>.
94
+
This can be mitigated using the following code snippet:
95
+
<programlisting role="php">
96
+
<![CDATA[
97
+
<?php
98
+
$cmd = preg_replace('`(?<!^) `', '^ ', escapeshellcmd($cmd));
99
+
]]>
100
+
</programlisting>
101
+
</para>
102
+
</warning>
103
+
</refsect1>
104
+

81
105
<refsect1 role="seealso">
82
106
&reftitle.seealso;
83
107
<para>
84
108