Une Bévue wrote:
> Le 13/12/2016 à 23:42, J.O. Aho a écrit :
>> What's the exit status code?
>>
>> Have you verified that the path is correct? Is it a full path or a
>> relative path (in this case it may not be relative to the script
>> executed first)?
>
> full PATH
>
>> If your script takes all the files in the directory, but always missing
>> one file, then your outer loop has issues, as you haven't provided how
>> you get your $data in the first place, it's just a guessing game for us
>> who ain't mind readers.
>
> no the script is activated by :
>
http://mbp.local/tests/Flipping_image/php/exiftool-json.php?PATH=/Users/yt/Sites/tests/Flipping_image/photos/glasgow.jpg
You are an obnoxious, anti-social pseudonymous address munger who does not
deserve this piece of advice. But to prevent you from harming others in
your blissful ignorance, and as a warning to others, I am making an
exception and reply:
You *really* do NOT want to do that. The least you want to do here is
calling escapeshellarg($_GET['PATH']) before you pass it to exec(), so that
an attacker cannot execute *arbitrary code* on that box (see below for an
example of that).
But even then allowing *anyone* to access *any* file on that box poses a
great security risk. You must realize that as by your code any information
output by exiftool(1) is contained in the JSON HTTP response, an attacker
can determine which files are on that box, what is the file size, the file
modification and access times, the file permissions, and for which processor
architecture have binaries been compiled. Because exiftool(1) is much more
than just a tool to read EXIF (image) metadata.
Fasten your seatbelt and try
http://mbp.local/tests/Flipping_image/php/exiftool-json.php?PATH=/bin/sh
I can debug this manually, and make a good prediction as to what you will
get:
> and the whole script is :
>
> <?php
> $EXIFTOOL = "/usr/local/bin/exiftool";
> $SITES = "/Users/yt/Sites";
> $data = array();
processed
> if(isset($_GET['URL'])) {
false
> $data['URL'] = $_GET['URL'];
> $data['PATH'] = $SITES . $_GET['URL'];
> }
ignored
> if(isset($_GET['PATH'])) {
true
> $data['URL'] = explode($SITES, $_GET['PATH'], 2 )[1];
irrelevant
> $data['PATH'] = $_GET['PATH'];
$data['PATH'] = '/bin/sh';
> }
> header('Content-Type: application/javascript');
That is the *wrong* MIME media type for a JSON response. JSON is a data
format, not executable source code.
<
http://json.org/>
<
http://fr.wikipedia.org/wiki/JSON>
> date_default_timezone_set('Europe/Paris');
> setlocale(LC_CTYPE, 'fr_FR');
> error_reporting(E_ALL);
>
> function exifTool() {
> global $EXIFTOOL;
> global $data;
> $cmd = "$EXIFTOOL " . $data['PATH'];
$cmd = "/usr/local/bin/exiftool /bin/sh";
> exec($cmd, $Infos, $ExitStatus);
exec("/usr/local/bin/exiftool /bin/sh", $Infos, $ExitStatus);
Imagine what would have happened here if I had accessed
http://mbp.local/tests/…/php/exiftool-json.php?PATH=%2F%3Brm%20-rf%20%2F
(Just IMAGINE; DO NOT TRY this [at least not without changing “exec” to
“echo”]!)
> foreach($Infos as $line) {
> $fields = explode(' : ', $line, 2 );
> if(count($fields) == 2) {
AFAICS there will always be two fields with exiftool(1).
> $data[rtrim($fields[0])] = $fields[1];
> }
> }
>
> $data['ExitStatus'] = $ExitStatus;
$data = [
'URL' => 'something irrelevant',
'PATH' => '/bin/sh',
'ExifTool Version Number ' => '10.25',
'File Name ' => 'sh',
'Directory ' => '/bin',
'File Size ' => '110 kB',
'File Modification Date/Time ' => '2016:07:05 23:59:04+02:00',
'File Access Date/Time ' => '2016:12:14 10:44:49+01:00',
'File Inode Change Date/Time ' => '2016:07:10 17:50:26+02:00',
'File Permissions ' => 'rwxr-xr-x',
'File Type ' => 'ELF shared library',
'File Type Extension ' => 'so',
'MIME Type ' => 'application/octet-stream',
'CPU Architecture ' => '64 bit',
'CPU Byte Order ' => 'Little endian',
'Object File Type ' => 'Shared object file',
'CPU Type ' => 'AMD x86-64',
'ExitStatus' => 0
];
or similar.
> return $data;
> }
> echo json_encode(exifTool());
> ?>
Omit the last line: <
http://www.php-fig.org/psr/psr-2/#2-2-files>
> the script is not missing one file. even if I hardcode the path within
> the script has for example :
> $data['PATH'] = '/Users/yt/Sites/tests/Flipping_image/photos/glasgow.jpg';
>
> i get absolutely nothing. no errors.
There may be no error messages, but certainly there is an _$ExitStatus_ (as
your fellow anti-social address munger, “J.O. Aho”, said).
Also, $data is only filled if there are exactly two fields. Maybe that is
the problem – in addition to the many other problems with this code.
--
PointedEars
Zend Certified PHP Engineer <
http://www.zend.com/en/yellow-pages/ZEND024953>
<
https://github.com/PointedEars> | <
http://PointedEars.de/wsvn>
Twitter: @PointedEars2 | Please do not cc me./Bitte keine Kopien per E-Mail.