-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Diederik Oudshoorn wrote:
| 1) why does escapeshellarg(string arg) add quotes around arg? (the
|
PHP.net manual didn't make me wiser), is it a *nix thingy? (alas, I'm
| still using Windows)
Apparently escapeshellarg() doesn't do the right thing on Windows. We
have a wfEscapeShellArg() wrapper function which is meant to fix this;
did you try replacing escapeshellarg() with wfEscapeShellArg() as Tim
suggested?
| 2) What is (might be) the penalty for removing escapeshellarg() from the
| code, what is the rational behind it?
The danger is that a parameter may contain characters which have special
meaning to the shell (or to the parameter-parsing code of the program on
Windows where parameters are passed as a single string rather than an
array of strings as on Unix). This could allow a malicious user to
inject a different command than was intended, which may have serious
security implications.
You may remember a couple months back a lot of sites were hacked via a
bug in TWiki, where it didn't correctly validate text that was placed on
the command line calling out to a search tool.
More prosaically, without proper escaping some filenames simply won't
work right (eg, containing spaces or quotes or other semi-special chars).
- -- brion vibber (brion @
pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (Darwin)
Comment: Using GnuPG with Thunderbird -
http://enigmail.mozdev.org
iD8DBQFB9mDbwRnhpk1wk44RAr9XAKC1CWYw/Fdi1JIiiRTMD6Q+YlAWcgCbBpE1
twTa8kDBXRqK3O0G5CHqKTs=
=UaVn
-----END PGP SIGNATURE-----