search

owncloud / testing

🔧 app for testing ownCloud
GNU Affero General Public License v3.0
3 stars 4 forks source link

Why do we escapeshellarg the parts of occ commands? #35

Open phil-davis opened 5 years ago

phil-davis commented 5 years ago

In lib/Occ.php function execute() we escapeshellarg the parts of the command to be executed.

We make exceptions to that for parts of occ commands that we know we need to send aalready enclosed in quotes, like:

--display-name='User One'
' '
'A value that has space in it'

It gradually gets more complicated to let through these string patterns and escapeshellarg everything else.

If you enable the testing app, and you know the admin password, then you can already do lots of nasty things to your system. If you know the admin password, then you may also have command line access to your system anyway - so you can type any command that you like.

So why do we try to protect occ command execution from command injection?

phil-davis commented 5 years ago

e.g. PR #34 increases the complexity of the pattern matching.