minor #45197 [Process] Update PHPDoc to use proper placeholder syntax (chrismcgehee)

nicolas-grekas · nicolas-grekas · commit aba5490af0f4 · 2022-01-27T18:14:10.000+01:00
This PR was squashed before being merged into the 4.4 branch. Discussion ---------- [Process] Update PHPDoc to use proper placeholder syntax | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | no | License | MIT | Doc PR | no I'd like to add this PHPDoc comment to help make sure `Process::fromShellCommandline` is used securely. The other day, one of the developers at my company wrote some code that was roughly like: ```php $process = Process::fromShellCommandline('find $FILENAME'); $process->run(null, ['FILENAME' => $fileName]); ``` Since `$fileName` is user input, he thought he was doing the secure thing by using placeholders. The issue is that a malicious user could have utilized the `-exec` option of `find` to gain arbitrary code execution, for example `$fileName = '. -exec echo Foo! ;'`. This can be fixed by simply surrounding `$FILENAME` with double quotes because this passes the input as a single argument to `find` instead of passing it as multiple arguments. I believe there are enough programs out there that can be manipulated if an attacker is able to control multiple arguments that it's worth putting a warning here to help prevent the mistake of not surrounding placeholders with quotes. Commits ------- a2ecf08 [Process] Update PHPDoc to use proper placeholder syntax
diff --git a/src/Symfony/Component/Process/Process.php b/src/Symfony/Component/Process/Process.php
@@ -177,7 +177,7 @@ public function __construct($command, string $cwd = null, array $env = null, $in
      * In order to inject dynamic values into command-lines, we strongly recommend using placeholders.
      * This will save escaping values, which is not portable nor secure anyway:
      *
-     *   $process = Process::fromShellCommandline('my_command "$MY_VAR"');
+     *   $process = Process::fromShellCommandline('my_command "${:MY_VAR}"');
      *   $process->run(null, ['MY_VAR' => $theValue]);
      *
      * @param string         $command The command line to pass to the shell of the OS

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ public function __construct($command, string $cwd = null, array $env = null, $in`
`177`	`177`	`* In order to inject dynamic values into command-lines, we strongly recommend using placeholders.`
`178`	`178`	`* This will save escaping values, which is not portable nor secure anyway:`
`179`	`179`	`*`
`180`		`- * $process = Process::fromShellCommandline('my_command "$MY_VAR"');`
	`180`	`+ * $process = Process::fromShellCommandline('my_command "${:MY_VAR}"');`
`181`	`181`	`* $process->run(null, ['MY_VAR' => $theValue]);`
`182`	`182`	`*`
`183`	`183`	`* @param string $command The command line to pass to the shell of the OS`