In lib/Occ.phpfunction execute() we escapeshellarg the parts of the command to be executed.
We make exceptions to that for parts of occ commands that we know we need to send aalready enclosed in quotes, like:
--display-name='User One'
' '
'A value that has space in it'
It gradually gets more complicated to let through these string patterns and escapeshellarg everything else.
If you enable the testing app, and you know the admin password, then you can already do lots of nasty things to your system. If you know the admin password, then you may also have command line access to your system anyway - so you can type any command that you like.
So why do we try to protect occ command execution from command injection?
In
lib/Occ.php
function execute()
weescapeshellarg
the parts of the command to be executed.We make exceptions to that for parts of
occ
commands that we know we need to send aalready enclosed in quotes, like:It gradually gets more complicated to let through these string patterns and
escapeshellarg
everything else.If you enable the testing app, and you know the admin password, then you can already do lots of nasty things to your system. If you know the admin password, then you may also have command line access to your system anyway - so you can type any command that you like.
So why do we try to protect
occ
command execution from command injection?