escapeshellarg() on urlencoded data

Question

I sent $data (array) from one server to another as shown below. When it gets to the second server, the $data elements are obviously urlencoded. On the second server, I wish to use some of the $data in exec(). Even though I pass a hash and make sure it is valid on the other end, I would still like to escapeshellarg() as appropriate. Since the $data elements are already urlencoded, how should I apply escapeshellarg()? Thanks

curl_setopt($ch,CURLOPT_POSTFIELDS,flatten_GP_array($data));

function flatten_GP_array(array $var,$prefix = false)
{
    //Used for CURL routines when sending multi-dimential array
    $return = array();
    foreach($var as $idx => $value){
        if(is_scalar($value)){
            if($prefix){$return[$prefix.'['.$idx.']'] = urlencode($value);}
            else {$return[$idx] = urlencode($value);}
        }
        else {$return = array_merge($return,library::flatten_GP_array($value,$prefix ? $prefix.'['.$idx.']' : $idx));}
    }
    return $return;
}

Even with hashing and escaping I would strongly advise not to do this. — flu, Jan 11 '13 at 15:11
@flu. Why not? My purpose for doing so is a fax server. My web server sends some data to the fax server, and the fax server sends out a fax. The fax software requires exec(). Now that I am writing this, I am asking myself whether a SOAP client/server would be better... — user1032531, Jan 11 '13 at 15:18
Because you're hashing your data I think that your fax server is publicly available and even though you're going to escape the parameters there's still a big injection risk. If possible define fixed parameters for your "protocol" and interperet them on side of your fax server. It's just I would never send any parameter directly to the shell, a database query or similar security relevant systems. — flu, Jan 11 '13 at 15:24
don't escape on the client for this. you ALWAYS escape on the server, just before you use the data in whatever context you need to do the escaping for. e.g. if you escape on the client, a malicious user will forge a request and send something un-escaped. boom goes your server. e.g. skip the entire escaping business on the client and do it purely server-side. — Marc B, Jan 11 '13 at 15:25
@flu. Some of the parameters being sent are the message/name/etc, and they cannot be fixed. The fax application takes this data and creates a fax coversheet and sends the fax. The shell needs to initiate the fax application. Since the parameters are suspect, they need to be appropriately escaped. Maybe I can escapeshellarg() the already urlencoded data, or if un-ulrencodde the data? — user1032531, Jan 11 '13 at 15:44
@MarcB. Agree about needing to always escape at the end. Purpose of escaping on the webserver (which is actually a fax client for this given purpose) is only to allow multidimensional data to be based via cURL. — user1032531, Jan 11 '13 at 15:46

score 0 · Accepted Answer · edited May 23 '17 at 11:48

0

I would advise you to crypt your data with a very long encryption key which only your host and your server knows.

You can use this encryption/decryption class (StackOverflow) from John Conde.

For the sake of simplicity I would then simply serialize your $data array, crypt it and send it to your server.

$urlData = Encryption::encrypt(serialize($data));
curl_setopt($ch,CURLOPT_POSTFIELDS,array('data' => $urlData));

On side of your FAX server just decrypt the data and unserialize it again

$data = unserialize(Encryption::decrypt($dataParameterFromUrl));

Server-side you know have the exact same data you had on your client and can do whatever you want with it.

Furthermore you could use something like challenge response to verify your host.

edited May 23 '17 at 11:48

Community

1
1

answered Jan 11 '13 at 16:15

flu

14,307
8
74
71

Thanks flu. So at this point, you would consider the data secure and not use escapeshellarg()? – user1032531 Jan 11 '13 at 16:25
I always use it (if I have to invoke shell commands). But I also think that you need to use it because you stated you're going to sent the FAX message body as command line parameter too. If that's the case you have to escape them just to support quotes which would otherwise break your command line input. If possible write the body to a file and let the fax application read that file. – flu Jan 11 '13 at 16:30
Thanks again for your help. Different question but would you use cURL or SOAP? – user1032531 Jan 11 '13 at 16:35
cURL is just a transfer library while SOAP is a protocol (whose implementation might use cURL). If you only have this scenario I would use cURL for simplicity. – flu Jan 11 '13 at 16:44

escapeshellarg() on urlencoded data

1 Answers1