Security:Command-line injection

Revision as of 07:15, 7 June 2011 by Michael de Raadt (talk | contribs) (See also)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

This page forms part of the Moodle security guidelines.

What is the danger?

This is very like SQL injection, except that it arises when we execute a command-line program rather than when we do a database query.


How Moodle avoids this problem

Always try to avoid using command-line tools if at all possible. Look for equvalent PHP libraries.

However, when there is no other option, it is the standard approach of cleaning the input, and then escaping the values that came from the user before including them in the command-line.


What you need to do in your code

  • Try to avoid using shell commands if at all possible.
    • Many utilities are available as PHP libraries.
  • If you can't avoid shell commands, use escapeshellcmd and escapeshellarg.


What you need to do as an administrator

  • This is not something you can do much about.
  • However, turn off Moodle features that use shell commands (e.g. the LaTeX filter) unless you actually need them.


See also