This repository was archived by the owner on May 1, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 117
Expand file tree
/
Copy pathDefaultExecutor.php
More file actions
executable file
·159 lines (142 loc) · 5.32 KB
/
DefaultExecutor.php
File metadata and controls
executable file
·159 lines (142 loc) · 5.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
<?php
/**
* OWASP Enterprise Security API (ESAPI)
*
* This file is part of the Open Web Application Security Project (OWASP)
* Enterprise Security API (ESAPI) project.
*
* PHP version 5.2
*
* LICENSE: This source file is subject to the New BSD license. You should read
* and accept the LICENSE before you use, modify, and/or redistribute this
* software.
*
* @category OWASP
* @package ESAPI_Reference
* @author Mike Boberski <boberski_michael@bah.com>
* @author Linden Darling <linden.darling@jds.net.au>
* @copyright 2009-2010 The OWASP Foundation
* @license http://www.opensource.org/licenses/bsd-license.php New BSD license
* @version SVN: $Id$
* @link http://www.owasp.org/index.php/ESAPI
*/
require_once dirname(__FILE__).'/../Executor.php';
/**
* Reference Implementation of the Executor interface.
*
* @category OWASP
* @package ESAPI_Reference
* @author Mike Boberski <boberski_michael@bah.com>
* @author Linden Darling <linden.darling@jds.net.au>
* @copyright 2009-2010 The OWASP Foundation
* @license http://www.opensource.org/licenses/bsd-license.php New BSD license
* @version Release: @package_version@
* @link http://www.owasp.org/index.php/ESAPI
*/
class DefaultExecutor implements Executor
{
// Logger
private $_auditor = null;
private $_ApplicationName = null;
private $_LogEncodingRequired = null;
private $_LogLevel = null;
private $_LogFileName = null;
private $_MaxLogFileSize = null;
//SecurityConfiguration
private $_config = null;
/**
* Executor constructor.
*
* @return does not return a value.
*/
function __construct()
{
$this->_auditor = ESAPI::getAuditor('Executor');
$this->_config = ESAPI::getSecurityConfiguration();
}
/**
* @inheritdoc
*/
function executeSystemCommand($executable, $params)
{
$workdir = $this->_config->getWorkingDirectory();
$logParams = false;
return $this->executeSystemCommandLonghand(
$executable, $params, $workdir, $logParams
);
}
/**
* @inheritdoc
*/
function executeSystemCommandLonghand($executable, $params, $workdir,
$logParams
) {
try {
// executable must exist
$resolved = $executable;
if (substr(PHP_OS, 0, 3) == 'WIN') {
$exploded = explode("%", $executable);
$systemroot = getenv($exploded[1]);
$resolved = $systemroot . $exploded[2];
}
if (!file_exists($resolved)) {
throw new ExecutorException(
"Execution failure, No such ".
"executable: $executable"
);
}
// executable must use canonical path
if (strcmp($resolved, realpath($resolved)) != 0) {
throw new ExecutorException(
"Execution failure, Attempt ".
"to invoke an executable using a non-absolute path: [".realpath($resolved)."] != [$executable]"
);
}
// exact, absolute, canonical path to executable must be listed
//in ESAPI configuration
$approved = $this->_config->getAllowedExecutables();
if (!in_array($executable, $approved)) {
throw new ExecutorException(
"Execution failure, Attempt to invoke executable that ".
"is not listed as an approved executable in ESAPI ".
"configuration: ".$executable . " not listed in " . $approved
);
}
// escape any special characters in the parameters
for ($i = 0; $i < count($params); $i++) {
$params[$i] = escapeshellcmd($params[$i]);
}
// working directory must exist
$resolved_workdir = $workdir;
if (substr(PHP_OS, 0, 3) == 'WIN') {
if (substr_count($workdir, '%')>=2) {
//only explode on % if at least 2x % chars exist in string
$exploded = explode("%", $workdir);
$systemroot = getenv($exploded[1]);
$resolved_workdir = $systemroot . $exploded[2];
}
}
if (!file_exists($resolved_workdir)) {
throw new ExecutorException(
"Execution failure, No such".
" working directory for running executable: $workdir"
);
}
// run the command
$paramstr = "";
foreach ($params as $param) {
//note: will yield a paramstr with a leading whitespace
$paramstr .= " ".$param;
}
//note: no whitespace between $executable and $paramstr since
//$paramstr already has a leading whitespace
$output = shell_exec($executable . $paramstr);
return $output;
}
catch ( ExecutorException $e ) {
$this->_auditor->warning(Auditor::SECURITY, true, $e->getMessage());
throw new ExecutorException($e->getMessage());
}
}
}
?>