diff options
| author | Ari Rubinstein <arirubinstein@users.noreply.github.com> | 2016-01-25 09:37:42 -0800 |
|---|---|---|
| committer | Ari Rubinstein <arirubinstein@users.noreply.github.com> | 2016-01-25 09:37:42 -0800 |
| commit | ce66c4408c2fe0db526b4cd915c765a009f3084f (patch) | |
| tree | 7cc4004724d8edaf3b2e93125d3ef77f7ef55e64 | |
| parent | 077f79f13ddc8efa4cb10c2c041eb4b50037e0e3 (diff) | |
| download | webgrind-ce66c4408c2fe0db526b4cd915c765a009f3084f.zip webgrind-ce66c4408c2fe0db526b4cd915c765a009f3084f.tar.gz webgrind-ce66c4408c2fe0db526b4cd915c765a009f3084f.tar.bz2 | |
Escape Shell Injection
Due to `$dataFile` being read in by `$_GET`, this enables a remote attacker to inject shell commands and run as PHP on the remote server, enabling Remote Code Execution. `escapeshellarg` will stop the immediate direct injection threat, however additional sanitization should be performed to ensure no inputs can result in overwritten files, etc.
| -rw-r--r-- | index.php | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -148,7 +148,7 @@ try { header("Content-Type: image/png"); $filename = Webgrind_Config::storageDir().$dataFile.'-'.$showFraction.Webgrind_Config::$preprocessedSuffix.'.png'; if (!file_exists($filename)) { - shell_exec(Webgrind_Config::$pythonExecutable.' library/gprof2dot.py -n '.$showFraction.' -f callgrind '.Webgrind_Config::xdebugOutputDir().''.$dataFile.' | '.Webgrind_Config::$dotExecutable.' -Tpng -o ' . $filename); + shell_exec(Webgrind_Config::$pythonExecutable.' library/gprof2dot.py -n '.$showFraction.' -f callgrind '.Webgrind_Config::xdebugOutputDir().''.escapeshellarg($dataFile).' | '.Webgrind_Config::$dotExecutable.' -Tpng -o ' . escapeshellarg($filename)); } readfile($filename); break; |