Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Security:Command-line injection

From MoodleDocs
Revision as of 17:31, 6 November 2009 by Tim Hunt (talk | contribs) (New page: This page forms part of the Moodle security guidelines. ==What is the danger?== This is very like SQL injection, except that it arises when we execute a command-...)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

This page forms part of the Moodle security guidelines.

What is the danger?

This is very like SQL injection, except that it arises when we execute a command-line program rather than when we do a database query.


How Moodle avoids this problem

Always try to avoid using command-line tools if at all possible. Look for equvalent PHP libraries.

However, when there is no other option, it is the standard approach of cleaning the input, and then escaping the values that came from the user before including them in the command-line.


What you need to do in your code

  • Try to avoid using shell commands if at all possible.
    • Many utilities are available as PHP libraries.
  • If you can't avoid shell commands, use escapeshellcmd and escapeshellarg.


What you need to do as an administrator

  • This is not something you can do much about.
  • However, turn off Moodle features that use shell commands (e.g. the LaTeX filter) unless you actually need them.


See also

Template:CategoryDeveloper

Retrieved from "https://docs.moodle.org/dev/index.php?title=Security:Command-line_injection&oldid=16254"
Powered by MediaWiki