Closed m4p1e closed 4 years ago
ex:
else if (zend_string_equals_literal(fname, "passthru") || zend_string_equals_literal(fname, "system") || zend_string_equals_literal(fname, "exec") || zend_string_equals_literal(fname, "shell_exec") || zend_string_equals_literal(fname, "proc_open") || zend_string_equals_literal(fname, "popen")) { zval *cmd = ZEND_CALL_ARG(ex, arg_count); if (IS_STRING == Z_TYPE_P(cmd) && TAINT_POSSIBLE(Z_STR_P(cmd))) { php_taint_error(ZSTR_VAL(fname), "CMD statement contains data that might be tainted"); } }
the param of cmd string is the last param in these function call,but the system del:
system ( string $command [, int &$return_var ] ) : string
so if i set the 2nd param of system, the taint will ignore the first param that actually cmd string.
ex:
the param of cmd string is the last param in these function call,but the system del:
so if i set the 2nd param of system, the taint will ignore the first param that actually cmd string.