逃避 Shell 回声
我试着做我的研究,有很多方法可以调用 shell 命令,甚至有更多的方法可以去除有害字符,我将在 stackoverflow 上寻求专家的最佳推荐。
我希望找到像我见过的其他语言一样的东西,因此向命令发送参数实际上是通过函数传递的,例如:
do_command("ls", "-l", $Directory);
它会为您处理 $Directory 变量中任何有害的内容。我还没有在 PHP 中找到这个。
这是我正在使用的代码:
<?php
session_start();
$AdminEmail = "[email protected]";
$CatalogEmails = array("");
$QuoteEmails = array("");
$PartsEmails = array("");
$Subject = $_SESSION['Email_Subject'];
$Body = $_SESSION['Email_Body'];
$Headers = $_SESSION['Email_Headers'];
$Type = $_SESSION['Type'];
msmtp($AdminEmail, $Subject, $Body, $Headers, "meyers");
if ($Type == "Catalog") {
foreach ($CatalogEmails as $AdditionalEmail) {
msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
}
} else if ($Type == "Quote") {
foreach ($QuoteEmails as $AdditionalEmail) {
msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
}
} else if ($Type == "Parts") {
foreach ($PartsEmails as $AdditionalEmail) {
msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
}
}
function msmtp($To, $Subject, $Body, $Headers, $Account) {
$Email = "To: $To\nSubject: $Subject\n$Headers\n\n$Body\n";
exec("echo \"$Email\" | msmtp --account=$Account $To");
}
session_destroy();
?>
我知道有一个内置的 PHP 邮件函数几乎可以解决这个问题,但我正在运行多个 SMTP 服务器,并且 msmtp
是我的一个程序根据发送电子邮件所用的“帐户”来发送电子邮件。在这种情况下,它将是“meyers”帐户。
所有会话变量都包含 HTML(
的 等),其中包含一些
$_POST
变量以及。我使用 PHP 5.3,所以没有魔术引号。
我知道使用 echo 是一种可怕的方式,这就是我来 stackoverflow 的原因。我的目标是,尽管他们对我提出了任何疯狂的要求,但电子邮件仍能顺利通过。我知道 shell/bash 很挑剔——我认为它不仅仅是转义双引号。
我尝试使用 escapeshellcmd
escapeshellarg
和 htmlentities
,它们都转义太多或弄乱了电子邮件中的 HTML。
I tried to do my research, there is just an abundance of ways to call shell commands, and even more ways to strip harmful characters that I am coming to stackoverflow for an expert's best recommendation.
I was hoping to find something like I've seen other languages so where sending arguments to a command are actually passed through a function, like:
do_command("ls", "-l", $Directory);
and it will take care of anything harmful in the $Directory variable for you. I haven't quite found this with PHP.
This is the code I am working with:
<?php
session_start();
$AdminEmail = "[email protected]";
$CatalogEmails = array("");
$QuoteEmails = array("");
$PartsEmails = array("");
$Subject = $_SESSION['Email_Subject'];
$Body = $_SESSION['Email_Body'];
$Headers = $_SESSION['Email_Headers'];
$Type = $_SESSION['Type'];
msmtp($AdminEmail, $Subject, $Body, $Headers, "meyers");
if ($Type == "Catalog") {
foreach ($CatalogEmails as $AdditionalEmail) {
msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
}
} else if ($Type == "Quote") {
foreach ($QuoteEmails as $AdditionalEmail) {
msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
}
} else if ($Type == "Parts") {
foreach ($PartsEmails as $AdditionalEmail) {
msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
}
}
function msmtp($To, $Subject, $Body, $Headers, $Account) {
$Email = "To: $To\nSubject: $Subject\n$Headers\n\n$Body\n";
exec("echo \"$Email\" | msmtp --account=$Account $To");
}
session_destroy();
?>
I know there is a built-in PHP mail function that pretty much would take care of this, but I am running multiple SMTP servers and the msmtp
is a program I use that sends emails based on the "account" the email will be sent under. In this case it will be the "meyers" account.
All the sessions variables contain HTML (<br>
's <b>
's, etc) with some $_POST
vars in there as well. I use PHP 5.3 so no magic quotes.
I know using an echo is a horrid way, which is why I am coming to stackoverflow. My goal here is that the email will go through despite any kind of crazy character they throw at me. I know the shell/bash is picky-- I assume it's much more than just escaping double quotes.
I tried using escapeshellcmd
escapeshellarg
and htmlentities
, they all escape too much or mess up the HTML in the email.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
将电子邮件内容写入文件,然后将文件内容重定向作为 msmtp 命令的输入。
Write the email content to a file, then redirect the file content as the input to the msmtp command.
PHP 使用 Bourne shell (sh) 还是 Bash?无论哪种情况,使用
printf
可能会更好:如果您使用的是 Bash,则可以尝试其
printf
的引用功能:Is PHP using the Bourne shell (sh) or Bash? In either case, it might be better if you use
printf
:If you are using Bash, you can try the quoting feature of its
printf
: