[Remind-Fans] Behind the scenes.

David F. Skoll dfs at roaringpenguin.com
Thu Oct 30 20:37:49 EDT 2014


On Thu, 30 Oct 2014 20:11:23 -0400
"Theodore M Rolle, Jr." <stercor at gmail.com> wrote:

> PHP indeed has a system() call.

Please be aware that system() is a giant security trap.  (Well, so's
PHP but that's another tale...)

If an attacker can manipulate environment variables, you may be vulnerable
to shell bugs (cf Shellshock) because system() invokes /bin/sh

A much safer way is to run Remind as a coprocess.  See the PHP
proc_open function.  Also, see THE FLUSH COMMAND in the Remind man page.
It's a bit tricky to get this to work properly without deadlock, but it's
a much safer way to handle untrusted user-input.

If you're unfamiliar with a coprocess, the basic idea is to fire
up Remind with its stdin and stdout file handles connected to
PHP file descriptors.  The PHP code writes commands to Remind
on one file descriptor and reads the result on the other.
You can go back-and-forth like that with only one long-running
Remind process instead of a new process each time.

Regards,

David.


More information about the Remind-fans mailing list