2

I have a working exec in php that executes a Jar file and returns back result:

exec('java -jar Clt.jar ' . $sampleSize . ' ' . $numberOfSamples . ' ' . $randAlgorithm,  $output);

These parameters are checked in Java application in the following way:

int sampleSize = Integer.parseInt(args[0]);
int numberOfSamples = Integer.parseInt(args[1]);
int randGenerator = Integer.parseInt(args[2]);

Now I need to know If I need to check user input, because on PHP page under exec, it says:

When allowing user-supplied data to be passed to this function, use escapeshellarg() or escapeshellcmd() to ensure that users cannot trick the system into executing arbitrary commands.

But in my case, where user input is used only as parameter for application, are there any security risks If I do not check what has user set, apart from that program will not execute if user enters string or floating point number?

Improve this question

3 Answers 3

Reset to default
2

But in my case, where user input is used only as parameter for application

And this is where you are wrong. exec() is as if you are executing a line on the command-line. What if the users inputs something like: ; rm -rf / && echo. You must escape the input with escapeshellargs(). Or even better use floatval() before passing it to the commandline.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Better yet, use '; rm -rf ...' - just in case the Java fails, the rm will still procede - if you're trashing the server, don't be nice make the attack depend on the success of the program whose args you're injecting.
Added a simple test.txt and tried ;del test.txt at the end of the last parameter, and ; is still considered to be a parameter for java? I am using Win7, maybe there is another command to begin new instruction?
@Jernej Jerin This has nothing to do with java, its the shell that you are using. In this case exec() is using cmd.exe.
Yeah I know that, but I tried in cmd java -jar Clt.jar 1 100 1 && del test.txt and it really deleted test.txt while for some reason executing exec with exactly the same stuff did not want to delete the test.txt?
0

Absolutely. There are plenty of shell hacks that will allow the user to escape your command and execute arbitrary commands on your system. Using &&, piping, etc...

Improve this answer

Comments

0

If you do not check nor escape what you inject into that command-line you're executing, it means anyone can inject anything into it. Which means getting any kind of code executing on your system. And, as you'll probably guess, this can be bad.

You must always properly escape (especially) unsafe data !


When building commands that are to be executed by the system, you should use the [**`escapeshellarg()`**][1] function.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.