Hacker News new | past | comments | ask | show | jobs | submit login

This is awful. Shell commands are not guaranteed to be idempotent, people! These should all be of the form exec($_POST, not exec($_GET.



It depends by the command, echo is idempotent for example. There should be some checking like

  $cmdname = split(' ', $_GET['command']);
  if(!in_array(IDEMPOTENT_COMMANDS, $cmdname))
     echo '<h1>Your request is not guaranteed to be idempotent. Please use a POST.</h1>';
  else
    exec($_GET['command'] ...


    if(!in_array(IDEMPOTENT_COMMANDS, $cmdname)) {
     header("HTTP/1.1 405 Method Not Allowed");
     die();
     }
Fixed ;).


in_array(needle, haystack)

PHP with its argument ordering strikes again :)


... actually,

    if(!IDEMPOTENT_COMMANDS[$cmdname]) { ...
would do, and, assuming dictionary lookups are optimised, is possibly faster.


actually,

   if (! isset(IDEMPOTENT_COMMANDS[$cmdname]))
otherwise you'll get an undefined index notice :)


Indeed. My PHP-fu is a bit rusty... I tested `if(NULL)...` in the REPL and since it was working, I left it at that.


Damn!!! :D


  echo is idempotent
As a simple call, yes. But there are many shell tricks (redirection, command substitution, process substitution) that can make an echo call have significant side effects - so if you were daft enough to be considering this you'd need to do much more checking before submitting the provided instruction to your shell, and those checks would need to know which shell you were targeting (in fact you'd probably want to force the issue by exec()ing a specific shell instead of just using the default for the user the code is running as).


Yes, though if a shell is chosen and the command is shell escaped you are good to go


I think the problem here is the fact that tainted variables (user input) are used to execute shell commands. it doesn't matter if that's $_POST or $_GET, both of these are user input and therefore these are huge vulnerabilities.


"That's the joke."


I'm pretty sure GP was being sarcastic.


Whoops! My bad.. now I feel stupid :)


I think he is being sarcastic.


I think he is indeed being sarcastic.


I'm sorry, but I can't hear you over the sound of the joke flying overhead.


I think he is was being indeed sarcastic.


I think he was indeed sarcastic.


I prefer exec($_REQUEST when I have to do something like that. You capture both get and post variables.


Love the sarcasm ;-)




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: