Friends don't let friends exec();
There was a thread today on Webhosting Talk about a guy who was trying to make PHP unzip something and it was failing. I shudder when I see shit like this, I tried to reply twice, but deleted my response because I sounded like a condescending asshole - so I decided to vent in the only place I can really get away with being a condescending asshole... right here.
PHP can be built with built-in functions that support creating and extracting ZIP archives, so I can't really think of why you'd choose to use exec() instead.
Let me say this in no uncertain terms, exec() should be renamed to YesImAskingForIt() and take a mandatory argument along the lines of PLEASEHACKME before it'll function. Don't get me wrong, there's some cases where it's a handy way to solve your problem, but generally speaking there's another solution which is safer and gives you better control over what happens when you get an error.
Any time you're going to stoop to using exec() (and it really doesn't matter what language you're using the equivalent function in), you need to be goddamn sure you understand the implications of what you're doing. All of them.
... and in the case of the poster linked above, if you can't figure out that the unzip executable doesn't have permission to write the files to the working directory, you probably don't understand enough of what's going on with exec() to have a contingency plan for all the possible outcomes a malicious user could cause.
I finally wound up replying, keeping my response short and sweet to try not to sound like a jerk. It still boggles my mind how people can think that something like $files = exec('ls'); is acceptable, even if not a ticking time bomb when they start trying to pass arguments to the programs they're executing... but for now I'll try and keep that to myself and act civil.
Oh and in case you're wondering, what I said about exec() goes for backticks as well.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Add Comment