WingNews logo WingNews
top | item 16497597

(no title)

flamingcow | 8 years ago

Does it really? Even if the code author hadn't learned to escape/sanitize close to use so it's visible (or to avoid cases where you need to escape/sanitize entirely, like using something that bypasses the shell and takes array arguments), let's look at the manpages.

PHP's system() manpage: http://php.net/manual/en/function.system.php

  [red box]
  Warning
  When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the system into executing arbitrary commands.
system(3): http://man7.org/linux/man-pages/man3/system.3.html

  Any user input that is employed as part of command should be carefully sanitized, to ensure that unexpected shell commands or command options are not executed.  Such risks are especially grave when using system() from a privileged program.
This is a canonical mistake that's used as a mistake example in textbooks.

discuss

order

benmmurphy|8 years ago

at this point i think the problem with system() should be blamed on the language and not the people using the language. how many legitimate uses of system() functiona call are there. a primitive that does fork() execv() on an array is a much better alternative. yeah, it doesn't 100% fix problems you might have issues with - style flags but you are in a much better situation. like if your users want to do system() maybe force them to do the extra work.

system() style functionality -> should be the hard thing to do execv() style functionality() -> should be the easy thing to do

technion|8 years ago

Whilst I do wish I could cleanse a web application of actually supporting system(), we have system() in Perl, Ruby, Python, and modules for Node. I've seen people bagging PHP and that really isn't fair.

Shower thought: Allow me to globally disable system() in for language x. Aside from the obvious case of just banning these insane system calls, you're protected against surprise vectors in parsers.

Edit: You would presumably mitigate pipe open vulnerabilities too