tags:

views:

50

answers:

3
+1  Q: 

Securing a string before exec()ing it

Hi

I have a PHP app which takes a user-inputted $imageurl and does the following:

exec('convert "'.$url.'" -thumbnail 80x500 "images/out.jpg"');

Now obviously I have to take some precautions with this to stop users from executing arbitrary code. For example, if the user sets $url to";rm -rf *;" is no good at all.

So for starters I have to filter out " so that no matter what they type in, they can't escape from their input being a parameter to convert. But should I filter out ; as well? I've seen urls with semicolons in them... and while the semicolon is really the danger here, filtering out " would still keep me safe right? But can urls have " in them? And are there any other characters I should watch for?

Maybe instead of filtering characters out I should try to escape them. So should I try to escape every character interpreted specially by the shell? Or just escape " as everything else is sort of "pre-escaped" given that it's inside double-quotes?

Sorry for my rambling confusion, I'm just new at this and want to stay safe!

Thanks,
Mala

+3  A: 

Well, if you want to make sure the URL is a URL, use filter_var

filter_var($url, FILTER_VALIDATE_URL);

This will not prevent people from supplying a URL like example.com/foo?;rm -rf though, which is still a valid URL. I'm not sure if this would cause rm to execute, but you could also check the URL with parse_url() and omit the query part.

Generally, it is a good idea to have a look at these as well:

Also see the PHP Manual on securing user input.

Gordon  2010-01-14 10:35:33
I can't omit the query part as some sites serve there images via script.php?image=something.jpg
Mala  2010-01-14 11:18:15
Then just use filter_var and the shell escape function
Gordon  2010-01-14 11:37:10
+2  A: 

You can use the escapeshellarg function.

klausbyskov  2010-01-14 10:36:25
A: 

Use Regular Expressions to ensure that $url only contains valid filename characters, e.g. "(\w\.\-\/){1,256}". Plus, I imagine you are renaming the file the user uploads to be a random filename, or at least a whitelisted filename (i.e. using the same regex). sha1.ext or md5.ext are easy formats to use.

Mike  2010-02-25 16:47:15

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases