The sensitive parameter of some sinks are incorrect
m4p1e opened this issue · 0 comments
m4p1e commented
ex:
else if (zend_string_equals_literal(fname, "passthru") ||
zend_string_equals_literal(fname, "system") ||
zend_string_equals_literal(fname, "exec") ||
zend_string_equals_literal(fname, "shell_exec") ||
zend_string_equals_literal(fname, "proc_open") ||
zend_string_equals_literal(fname, "popen")) {
zval *cmd = ZEND_CALL_ARG(ex, arg_count);
if (IS_STRING == Z_TYPE_P(cmd) && TAINT_POSSIBLE(Z_STR_P(cmd))) {
php_taint_error(ZSTR_VAL(fname), "CMD statement contains data that might be tainted");
}
}
the param of cmd string is the last param in these function call,but the system del:
system ( string $command [, int &$return_var ] ) : string
so if i set the 2nd param of system, the taint will ignore the first param that actually cmd string.