Re: [PHP-DEV] Bug #11890 Updated: linux exploitable From: derick <email protected>
Date: 07/05/01

On Wed, 4 Jul 2001, Zak Greant wrote:

> Derick wrote:
>
> > Hello Zak,
> >
> > regarding this problem with the mail() function, I have a fix here where
> > the 5th parameter will be shell escaped (with php_shell_escape_cmd()). I
> > didn't commit it yet (because of ISP troubles), but if nobody thinks this
> > is a bad idea, I'll commit it tomorrow.
>
> Hey Derick,
>
> Excellent! :)
>
> Should we be using php_escape_shell_arg() instead of
> php_escape_shell_cmd()?

As far as I can see does shell_arg only escape the ' and shell_cmd the
following characters: #&;`'\"|*?~<>^()[]{}$\\\x0A\xFF so I think
_shell_cmd would be the best choice.

Derick

---------------------------------------------------------------------
        PHP: Scripting the Web - www.php.net - derick <email protected>
             SRM: Site Resource Manager - www.vl-srm.net
--------------------------------------------------------------------- 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>