我在Linux上使用Exiv2命令行工具来编辑图像元数据,如下所示:
exiv2 -M"set Iptc.Application2.Caption String This is my caption....." modify IMG.jpg
我想使用用户提供的标题从PHP执行此操作.如果用户不输入任何特殊字符,这将起作用:
exec('/usr/local/bin/exiv2 -M"set Iptc.Application2.Caption String '.$caption.'" modify IMG.jpg');
我需要允许用户使用特殊字符,例如单引号和双引号.我想使用escapeshellcmd()来防止恶意数据.我如何正确地转义命令和参数,以便其起作用?我尝试了很多选择,但我做对了.
解决方法:
是的,这是一个难题,因为该命令使用的是非标准的shell参数(例如它自己的小元语言). ImageMagick具有相同的问题.
如果仅在双引号引起来的字符串中使用escapeshellarg(),它将变为无用的. escapeshellcmd()会转义所有特殊字符,并且可以安全地用于双引号字符串中.因此,您需要对单引号进行硬编码,以使其正常工作.
exec('/usr/local/bin/exiv2 -M"set Iptc.Application2.Caption String \'' . escapeshellcmd($caption) . '\'" modify IMG.jpg');
escapeshellarg()在单引号字符串中不起作用的原因是:
# for this input:
The smith's "; rm -rf *; echo "went to town
# after escapeshellarg()
'The smith\'s "; rm -rf *; echo "went to town'
# Works fine if left as a top-level argument
/usr/bin/command 'The smith\'s "; rm -rf *; echo "went to town'
# BUT if put in a double-quoted string:
/usr/bin/command "subcommand1 'The smith\'s "; rm -rf *; echo "went to town'"
# it is broken into 3 shell commands:
/usr/bin/command "something and 'The smith\'s ";
rm -rf *;
echo "went to town'"
# bad day...
标签:escaping,exec,php,exiv2
来源: https://codeday.me/bug/1024/1920472.html
