Re: [PHP-DEV] Bug #11890 Updated: linux exploitable From: Alexander Bokovoy (ab <email protected>)
Date: 07/05/01

On Thu, Jul 05, 2001 at 09:10:10AM +0200, derick <email protected> wrote:
> On Wed, 4 Jul 2001, Zak Greant wrote:
>
> > Derick wrote:
> >
> > > Hello Zak,
> > >
> > > regarding this problem with the mail() function, I have a fix here where
> > > the 5th parameter will be shell escaped (with php_shell_escape_cmd()). I
> > > didn't commit it yet (because of ISP troubles), but if nobody thinks this
> > > is a bad idea, I'll commit it tomorrow.
> >
> > Hey Derick,
> >
> > Excellent! :)
> >
> > Should we be using php_escape_shell_arg() instead of
> > php_escape_shell_cmd()?
>
> As far as I can see does shell_arg only escape the ' and shell_cmd the
> following characters: #&;`'\"|*?~<>^()[]{}$\\\x0A\xFF so I think
> _shell_cmd would be the best choice.
BTW, shouldn't \x0A-\xFF be escapeable only if they aren't characters
according current locale? 

-- 
Sincerely yours, Alexander Bokovoy 
  The Midgard Project    | ALT  Linux  Team | Minsk Linux Users Group
 www.midgard-project.org | www.altlinux.ru  |    www.minsk-lug.net 
-- You won't skid if you stay in a rut.
		-- Frank Hubbard

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>