0

I'm interested to use pdftk (the pdft toolkit) by calling it from a PHP script. I intend to use the exec() function for this. The command would follow this format:

pdftk [form_file] fill_form [data_file] output [output_file] flatten

This command takes a form PDF file (form_file) and inserts the FDF data from data_file and flattens the form and saves it as output_file.

Here is what I'm thinking to secure the execution of this command via a function like exec()

  • Directory and file names are not user-defined. Directory and file names are generated based on sanitized identifier strings and will only contain alphanumeric characters, dashes, underscores, and periods. The identifier strings will have a limited, practical length.
  • Arguments (filenames) are passed through escapeshellarg() before being concatenated into the command (though this is probably unnecessary if the proceeding step is free of vulnerabilities).
  • The entire command is passed through escapeshellcmd().

Am I overlooking any security vulnerabilities when it comes to executing this command? (The only one I can think of now is if there is a vulnerability with pdftk itself and how it processes the files.) Any suggestions to improve this process? Thanks.

Kyle
  • 2,822
  • 2
  • 19
  • 24
  • Don't use `escapeshellcmd` on the whole thing if you've already used `escapeshellarg` on individual arguments or you'll end up escaping twice. – Explosion Pills Aug 18 '12 at 04:04
  • @ExplosionPills: Hmm, would it? The documentation for `escapeshellcmd` states "Following characters are preceded by a backslash: #&;\`|*?~<>^()[]{}$\, \x0A and \xFF. ' and " are escaped only if they are not paired." I believe since it states that it only escapes them _if they are not paired_ that it is okay, since `escapeshellarg` would add paired quotes. – Kyle Aug 18 '12 at 04:08

0 Answers0