All geek questions in one place

Reliable use of the exec PHP function

I am writing a PHP script designed to run an executable file (ffmpeg.exe) using the exec () function. The problem is that I read that using the exec () function can be a security risk and should be avoided if possible. I am doing some research on how to safely execute the exec () function, and the only thing I keep coming up with is filtering the command line using escapeshellcmd or escapeshellarg. I want to know if there is a possibility of further increasing security when using the exec () function or if there is a safe alternative to exec (). Any help would be appreciated.

Here is my code;

define('FFMPEG_LIBRARY', 'c:\\ffmpeg7\\ffmpeg\\bin\\ffmpeg '); $transcode_string = FFMPEG_LIBRARY." -i " . $srcFile . " -acodec libmp3lame -ab 64k -ar 22050 -ac 1 -vcodec libx264 -b:v 250k -r 30 -f flv -y " . $destFile; $transcode_string = escapeshellcmd($transcode_string); exec($transcode_string);

$ srcFile is basically a video for transcoding, and $ destFile is the output file I want to create.

+4
source share
2 answers

using exec () can be a security risk and should be avoided if possible.

Something like a generalization - it's entirely possible to build a secure solution using exec() . But it is really difficult: there are many errors when executing external programs, especially if you pass external parameters to them.

The first step, as you say, is to avoid everything using escapeshellarg() to prevent the injection of other, possibly malicious, commands.

The question then becomes, what can cause damage to incoming incorrect values ​​in the called program. For instance,

  • Performing the ffmpeg operation on a large 200,000 x 200,000 pixel video may cause the server to freeze because the call is trying to allocate an impossible amount of memory. Therefore, you must sanitize the size values ​​that the user can enter and exit if they are too large, or not numbers.

  • an attacker can tell ffmpeg to use a configuration file and try to create a video from it, which can lead to the creation of a configuration file that will be used as output, so you need to limit the range of file paths that users can specify.

And so on and so forth.

In addition, you need to think about the possibility of killing the server through a simple number of requests. What if I send 50 requests per second to a PHP script, which in turn calls the complex ffmpeg command? The server can easily break down under load, and you can protect against this.

So: there is no built-in security issue in using exec() , but every input parameter that is passed to it should be carefully considered.

+3
source

exec itself is not a problem, the problem is that you definitely should not accept user input when it comes to its input in exec (). You should always use escapeshellarg (), but if you need to accept user input, you must first do your own sanitation and manipulation in all cases.

What is your code? Not seeing that there is nothing more to say about this.

Update

If $ srcFile is the name of the downloaded file, then you should change it .. @preinheimer comment contains a good idea, you can call uniqid (); and rename $ srcFile to this, then you know that you have an alphanumeric file name, no matter what they downloaded. Change $ srcFile to this new uniqid () 'd file name and you're good to go.

As for $ dstFile, set something unique for it, you can either call uniqid (); again or use the current time.

If you do both of these things, then you will not accept user input at all, and your script will be completely safe and secure.

+3
source

Source: https://habr.com/ru/post/1391900/

More articles:


All Articles