- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
ID: php-security/laravel-mail-command-injection
Language: PHP
Severity: Error
Category: Security
CWE: 78
Command injection is a type of attack where the attacker can execute arbitrary commands on the host operating system. This can lead to severe damage such as data loss, corruption, or unauthorized access to sensitive data.
Command injection can occur if user-controlled data is used unsanitized in the parameters of functions like mail()
or mb_send_mail()
. This can allow an attacker to manipulate the email sending process or execute arbitrary commands.
To adhere to this rule and avoid potential command injections, it is good coding practice to always sanitize user input before using it in your functions. For email parameters, one should avoid concatenating user input directly to command string. Instead, use a fixed string or sanitize the user input using appropriate PHP functions to ensure it does not contain any malicious content. This will help maintain the security and integrity of your PHP applications.
<?php
class Foo extends Controller {
public function sendEmail($column, $recipient) {
$title = mb_convert_encoding($title, "UTF-8", "SJIS");
$content = mb_convert_encoding($content, "UTF-8", "SJIS");
$email_params = "-f " . $column;
$result = mail($to, $title, $content, $headers, $email_params);
return view('user.profile', ['recipient' => $recipient]);
}
}
Route::post('/products/{product}', function ($product) {
$extra_params = "-f " . $product;
$result = mb_send_mail($to, $title, $content, $headers, $extra_params);
return view('product.details', ['outcome' => $result]);
});
<?php
class Bar extends Controller {
public function sendEmail($column, $recipient) {
$title = mb_convert_encoding($title, "UTF-8", "SJIS");
$content = mb_convert_encoding($content, "UTF-8", "SJIS");
$email_params = "-f name@example.com";
$result = mail($to, $title, $content, $headers, $email_params);
return view('user.profile', ['recipient' => $recipient]);
}
}
Route::post('/products/{product}', function ($product) {
$extra_params = "-f name@example.com";
$result = mb_send_mail($to, $title, $content, $headers, $extra_params);
return view('product.details', ['outcome' => $result]);
});