逃避 Shell 回声

发布于 2024-10-18 14:45:02 字数 2041 浏览 6 评论 0原文

我试着做我的研究,有很多方法可以调用 shell 命令,甚至有更多的方法可以去除有害字符,我将在 stackoverflow 上寻求专家的最佳推荐。

我希望找到像我见过的其他语言一样的东西,因此向命令发送参数实际上是通过函数传递的,例如:

do_command("ls", "-l", $Directory);

它会为您处理 $Directory 变量中任何有害的内容。我还没有在 PHP 中找到这个。

这是我正在使用的代码:

<?php
    session_start();

    $AdminEmail = "[email protected]";
    $CatalogEmails = array("");
    $QuoteEmails = array("");
    $PartsEmails = array("");

    $Subject = $_SESSION['Email_Subject'];
    $Body = $_SESSION['Email_Body'];
    $Headers = $_SESSION['Email_Headers'];
    $Type = $_SESSION['Type'];

    msmtp($AdminEmail, $Subject, $Body, $Headers, "meyers");

    if ($Type == "Catalog") {
        foreach ($CatalogEmails as $AdditionalEmail) {
            msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
        }
    } else if ($Type == "Quote") {
        foreach ($QuoteEmails as $AdditionalEmail) {
            msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
        }
    } else if ($Type == "Parts") {
        foreach ($PartsEmails as $AdditionalEmail) {
            msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
        }
    }

    function msmtp($To, $Subject, $Body, $Headers, $Account) {
        $Email = "To: $To\nSubject: $Subject\n$Headers\n\n$Body\n";
        exec("echo \"$Email\" | msmtp --account=$Account $To");
    }

    session_destroy();
?>

我知道有一个内置的 PHP 邮件函数几乎可以解决这个问题,但我正在运行多个 SMTP 服务器,并且 msmtp 是我的一个程序根据发送电子邮件所用的“帐户”来发送电子邮件。在这种情况下,它将是“meyers”帐户。

所有会话变量都包含 HTML(
等),其中包含一些 $_POST 变量以及。我使用 PHP 5.3,所以没有魔术引号。

我知道使用 echo 是一种可怕的方式,这就是我来 stackoverflow 的原因。我的目标是,尽管他们对我提出了任何疯狂的要求,但电子邮件仍能顺利通过。我知道 shell/bash 很挑剔——我认为它不仅仅是转义双引号。

我尝试使用 escapeshellcmd escapeshellarghtmlentities,它们都转义太多或弄乱了电子邮件中的 HTML。

I tried to do my research, there is just an abundance of ways to call shell commands, and even more ways to strip harmful characters that I am coming to stackoverflow for an expert's best recommendation.

I was hoping to find something like I've seen other languages so where sending arguments to a command are actually passed through a function, like:

do_command("ls", "-l", $Directory);

and it will take care of anything harmful in the $Directory variable for you. I haven't quite found this with PHP.

This is the code I am working with:

<?php
    session_start();

    $AdminEmail = "[email protected]";
    $CatalogEmails = array("");
    $QuoteEmails = array("");
    $PartsEmails = array("");

    $Subject = $_SESSION['Email_Subject'];
    $Body = $_SESSION['Email_Body'];
    $Headers = $_SESSION['Email_Headers'];
    $Type = $_SESSION['Type'];

    msmtp($AdminEmail, $Subject, $Body, $Headers, "meyers");

    if ($Type == "Catalog") {
        foreach ($CatalogEmails as $AdditionalEmail) {
            msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
        }
    } else if ($Type == "Quote") {
        foreach ($QuoteEmails as $AdditionalEmail) {
            msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
        }
    } else if ($Type == "Parts") {
        foreach ($PartsEmails as $AdditionalEmail) {
            msmtp($AdditionalEmail, $Subject, $Body, $Headers, "meyers");
        }
    }

    function msmtp($To, $Subject, $Body, $Headers, $Account) {
        $Email = "To: $To\nSubject: $Subject\n$Headers\n\n$Body\n";
        exec("echo \"$Email\" | msmtp --account=$Account $To");
    }

    session_destroy();
?>

I know there is a built-in PHP mail function that pretty much would take care of this, but I am running multiple SMTP servers and the msmtp is a program I use that sends emails based on the "account" the email will be sent under. In this case it will be the "meyers" account.

All the sessions variables contain HTML (<br>'s <b>'s, etc) with some $_POST vars in there as well. I use PHP 5.3 so no magic quotes.

I know using an echo is a horrid way, which is why I am coming to stackoverflow. My goal here is that the email will go through despite any kind of crazy character they throw at me. I know the shell/bash is picky-- I assume it's much more than just escaping double quotes.

I tried using escapeshellcmd escapeshellarg and htmlentities, they all escape too much or mess up the HTML in the email.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

时光与爱终年不遇 2024-10-25 14:45:02

将电子邮件内容写入文件,然后将文件内容重定向作为 msmtp 命令的输入。

file_put_contents($tempfile,$Email);
exec("msmtp --account=$Account $To < $tempfile");

Write the email content to a file, then redirect the file content as the input to the msmtp command.

file_put_contents($tempfile,$Email);
exec("msmtp --account=$Account $To < $tempfile");
小忆控 2024-10-25 14:45:02

PHP 使用 Bourne shell (sh) 还是 Bash?无论哪种情况,使用 printf 可能会更好:

exec("printf '%s' '$Email' | msmtp --account=$Account $To");

如果您使用的是 Bash,则可以尝试其 printf 的引用功能:

exec("printf '%q' '$Email' | msmtp --account=$Account $To");

Is PHP using the Bourne shell (sh) or Bash? In either case, it might be better if you use printf:

exec("printf '%s' '$Email' | msmtp --account=$Account $To");

If you are using Bash, you can try the quoting feature of its printf:

exec("printf '%q' '$Email' | msmtp --account=$Account $To");
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文