"ps aux" output on the webpage?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-03-19 00:58 出处：网络

I am wondering is this safe way to put ps aux into array and then display on the web? Or what could be done to improve it?

相关专题：php shell

I am wondering is this safe way to put ps aux into array and then display on the web? Or what could be done to improve it?

Example:

<table width="900px" border="1">
    <tr> 
        <td> PID </td>
        <td> CPU </td>
        <td> Mem </td>
        <td> Start </td>
        <td> Command</td>
    </tr>开发者_开发知识库;
    <?php
    exec("ps aux | grep -v grep | grep  process.php", $psOutput);
    if (count($psOutput) > 0) {
        foreach ($psOutput as $ps) {
            $ps = preg_split('/ +/', $ps);
            $pid = $ps[1];
            $cpu = $ps[2];
            $mem = $ps[3];
            $time = $ps[8];
            $command = $ps[10] . " " . $ps[11];
            echo "<tr>";
              echo "<td>" . $pid . "</td>";
              echo "<td>" . $cpu . "</td>";
              echo "<td>" . $mem . "</td>";
              echo "<td>" . $time . "</td>";
              echo "<td>" . $command . "</td>";
            echo "</tr>";
        }
    }
    ?>
</table>

I am wondering is this safe way to put ps aux into array and then display on the web? Or what could be done to improve it?

Nothing as far as I can tell. If this is the actual code and the command isn't created from user input, there is absolutely nothing wrong with this code, apart from the fact that <table width="900px"> is generally controlled by CSS, not HTML. But that's all the critique I can think of.

EDIT: Quentin makes a very valid point in that you should use htmlspecialchars before displaying in HTML.

Always use htmlspecialchars when displaying text in an HTML document. Someone might be using a < or & character as part of their command line
ps aux will show any commands running on the system — including any where that someone has included a password on the command line
Not a security problem, but the deprecated HTML width attribute takes an integer that is optionally followed by a % character, it doesn't take a CSS length.
Also not a security problem, but you should use table heading elements for your table headings.

To improve it you could simplify your exec a bit.

ps can look for process names for you using the -C option.
and you could manually list the columns you want to read out using the -o option. That way you will always get predictable output even if the ps aux command changes or whatever.

ps -C php -o args cpu | grep process.php

Look at "Standard Format Specifiers" in the ps man page to get all the columns you want.