octoleo/phpseclib
1
0
Fork 0
mirror of https://github.com/phpseclib/phpseclib.git synced 2024-09-18 18:49:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Quote shell argument with escapeshellarg()

Browse Source 
Currently, the call to "scp -t" or "scp -f" just uses naive quoting - i.e. a couple of quote marks are thrown in.

But, this can easily be escaped from - if the filename has a quote mark of its own in it, for example.

e.g. if the filename is as follows, then bad things will happen:

 ";rm -rf /

Instead, escapeshellarg should be used, to make sure it gets escaped properly.
This commit is contained in:
David Anderson 2014-12-04 16:50:23 +00:00
parent 630a71bee6
commit 14dc468b70
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
phpseclib/Net/SCP.php
View File

@ -170,7 +170,7 @@ class Net_SCP
return false;
}
if (!$this->ssh->exec('scp -t "' . $remote_file . '"', false)) { // -t = to
if (!$this->ssh->exec('scp -t ' . escapeshellarg($remote_file), false)) { // -t = to
return false;
}
@ -244,7 +244,7 @@ class Net_SCP
return false;
}
if (!$this->ssh->exec('scp -f "' . $remote_file . '"', false)) { // -f = from
if (!$this->ssh->exec('scp -f ' . escapeshellarg($remote_file), false)) { // -f = from
return false;
}