Hitting your website with a pipe

Saturday, September 6, 2008, 12:44 AM
Source Code by John (Article #227)

UPDATE: I cannot for the life of me get a pipe past my scrubbing script. And I'm not going to break working code just to illustrate a point. So, when you see the word [PIPE]. assume it means the broken vertical bar character...

Here's a cool little character: the pipe. It's SHIFT + backslash on your keyboard.

That little guy is a pipe. And with the rising interest in using server-side Linux command-line apps to handle a variety of tasks -- for example, most video uploads sites are using ffmpeg at some point in their process -- the pipe is of rising importance.

Advertisements

In Linux, a pipe allows you to pass the results of one command-line app to another command-line app. To pick an obvious example, you can combine LS and GREP like so...

ls [PIPE] grep 'flv'

This command lists the contents of the current directory, then dumps those contents to the greap command, which would sort out all the FLV files. And you can endlessly pipe commands on and on. It's a pretty cool trick when you get right down to it. Imagine being able to batch process images, OCR them, move them to a new directory, rename them, staple them and mail them to Mars. That's what pipes do.

But, from a website standpoint, pipes can represent an awful danger. Because, if you're invoking something like PHP's EXEC function without scrubbing your inputs, it is possible for someone to pipe a new command right into the command you are EXECing.

Think about it: it is a gateway for someone to execute a server-side command with full read-write access at least within the current directory.

Ouch.

Suddenly something soooo awesome becomes sooooo suckie, right?

Well, not really.

For the most part, if you attack input scrubbing as a least-privilege problem, it's not a big deal. Using a function like PREG_REPLACE, it isn't hard to remove pipes and leave whatever characters you do need for the command to execute.

Yeah, I know, I'm a bit cavalier in my desire to allow such inputs. And it isn't something the beginner PHP coder should pursue. But, there's just so much cool stuff you can run on Linux. Why leave all those toys on the shelf when a little aggressive scrubbing is all it takes to bring them out of the toybox?

Mail article to a friend

Tools

Check Google PageRank

Recent articles

Welcome!

Wonder where to start with your web design business?

This blog follows along with my efforts to build and grow a website design business, Pro Content and Design.

The goal of this blog is to fill in blanks that may be empty as you get your business rolling.

This blog, particularly the source code section, is not intended for beginners. If you are not comfortable with databases, Ajax, DOM objects and other advanced methods, I strongly suggest you go take a look over at W3 Schools before even reading -- let alone tinkering with -- any of the code here.

I hope this blog has some value to web designers as they attempt to get their businesses going.

Good luck, and happy reading.

Thank you,
John Crawford
Pro Content and Design