Hacker News new | past | comments | ask | show | jobs | submit login

It depends by the command, echo is idempotent for example. There should be some checking like

  $cmdname = split(' ', $_GET['command']);
  if(!in_array(IDEMPOTENT_COMMANDS, $cmdname))
     echo '<h1>Your request is not guaranteed to be idempotent. Please use a POST.</h1>';
  else
    exec($_GET['command'] ...



    if(!in_array(IDEMPOTENT_COMMANDS, $cmdname)) {
     header("HTTP/1.1 405 Method Not Allowed");
     die();
     }
Fixed ;).


in_array(needle, haystack)

PHP with its argument ordering strikes again :)


... actually,

    if(!IDEMPOTENT_COMMANDS[$cmdname]) { ...
would do, and, assuming dictionary lookups are optimised, is possibly faster.


actually,

   if (! isset(IDEMPOTENT_COMMANDS[$cmdname]))
otherwise you'll get an undefined index notice :)


Indeed. My PHP-fu is a bit rusty... I tested `if(NULL)...` in the REPL and since it was working, I left it at that.


Damn!!! :D


  echo is idempotent
As a simple call, yes. But there are many shell tricks (redirection, command substitution, process substitution) that can make an echo call have significant side effects - so if you were daft enough to be considering this you'd need to do much more checking before submitting the provided instruction to your shell, and those checks would need to know which shell you were targeting (in fact you'd probably want to force the issue by exec()ing a specific shell instead of just using the default for the user the code is running as).


Yes, though if a shell is chosen and the command is shell escaped you are good to go




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: