GNUPG 在 shell_exec 中转义回显数据

发布于 2024-12-04 09:05:37 字数 752 浏览 0 评论 0原文

我真的想安全地处理这个问题，因为涉及到客户数据。

我通过命令行使用 GNUPG，因为我使用共享主机，并且 PHP 类不可用。所以我的代码如下：

putenv("GNUPGHOME=/home/me/.gnupg");

$gpg = '/usr/bin/gpg';
$gpgrecipient = 'email';
$mailrecp = 'email';
$plain = 'Here is the encrypted Text Here is the encrypted Text Here is the
    encrypted Text Here is the encrypted Text Here is the encrypted Text Here is the
    encrypted Text Here is the encrypted Text Here is the encrypted Text Here is the  
    encrypted Text';



$encrypted = shell_exec("echo {$plain} | {$gpg} --no-auto-check-trustdb --lock-never -e -a -r {$gpgrecipient} ");

那么，我如何在保持数据完整性的同时转义 $plain 呢？

如果我只使用escapeshellcmd()，它往往会弄乱格式。

我对将任何内容保存到文件中有点犹豫，因为它是共享主机上的敏感数据。

原文

I really want to go about this securely, as there is customer data involved.

I am using GNUPG via the command line because I am on shared hosting, and the PHP class is not available. So my code is as follows:

putenv("GNUPGHOME=/home/me/.gnupg");

$gpg = '/usr/bin/gpg';
$gpgrecipient = 'email';
$mailrecp = 'email';
$plain = 'Here is the encrypted Text Here is the encrypted Text Here is the
    encrypted Text Here is the encrypted Text Here is the encrypted Text Here is the
    encrypted Text Here is the encrypted Text Here is the encrypted Text Here is the  
    encrypted Text';



$encrypted = shell_exec("echo {$plain} | {$gpg} --no-auto-check-trustdb --lock-never -e -a -r {$gpgrecipient} ");

So, how do I go about escaping $plain, while preserving data integrity?

If I just use escapeshellcmd() it tends to mess up formatting.

I am a bit leery of saving anything out to a file because it is sensitive data on shared hosting.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

撩人痒 2024-12-11 09:05:37

我不太了解 php，但是您是否考虑过使用 proc_open 而不是 shell_exec ？它看起来比调用 shell 命令来回显输入并将其通过管道传输到 gpg 更干净。

但如果您更愿意使用 proc_open，请考虑使用 printf 而不是 echo -n；它具有更好定义的行为。例如（未经测试）：

$encrypted = shell_exec("printf '%s' '{$plain}' | {$gpg} ...`

使用 echo，您将面临 echo 命令（可能是内置 shell 或 /bin/echo 命令）可能会将其某些参数解释为要打印的字符串以外的内容。

I don't know php very well, but have you considered using proc_open rather than shell_exec? It seems cleaner than invoking a shell command to echo the input and pipe it to gpg.

But if you'd rather use proc_open, consider using printf rather than echo -n; it has better defined behavior. For example (untested):

$encrypted = shell_exec("printf '%s' '{$plain}' | {$gpg} ...`

With echo, you run the risk that the echo command (which could be either a shell built-in or the /bin/echo command) might interpret some of its arguments as something other than strings to be printed.

回复收藏 0 原文

如若梦似彩虹 2024-12-11 09:05:37

您是否尝试过使用escapeshellarg？并且 echo 在输出的字符串末尾添加换行符，因此您可能需要使用 -n：演示

<?php

$gpg = '/usr/bin/gpg';
$gpgrecipient = 'email';
$mailrecp = 'email';
$plain = 'Here is the encrypted Text Here is the encrypted Text Here is the
    encrypted Text Here is the encrypted Text Here is the encrypted Text Here is the
    encrypted Text Here is the encrypted Text Here is the encrypted Text Here is the  
    encrypted Text';


$plain = escapeshellarg($plain);

$cmd = "echo -n {$plain} | {$gpg} --no-auto-check-trustdb --lock-never -e -a -r {$gpgrecipient} ";

echo $cmd;

Have you tried using escapeshellarg? And echo adds a newline to the end of the string on the output, so you might want to use -n: Demo

<?php

$gpg = '/usr/bin/gpg';
$gpgrecipient = 'email';
$mailrecp = 'email';
$plain = 'Here is the encrypted Text Here is the encrypted Text Here is the
    encrypted Text Here is the encrypted Text Here is the encrypted Text Here is the
    encrypted Text Here is the encrypted Text Here is the encrypted Text Here is the  
    encrypted Text';


$plain = escapeshellarg($plain);

$cmd = "echo -n {$plain} | {$gpg} --no-auto-check-trustdb --lock-never -e -a -r {$gpgrecipient} ";

echo $cmd;

回复收藏 0 原文

~没有更多了~