0

I've set up a small web app that passes user data to a python script. Python is supposed to go to work, create a file on the webserver, and allow the user to download it. However, the script execution seems to stop where the Python write() command is issued.

Python:

print("Writing to '" + filename + "'")
f = open('backups/' + filename, 'w')
f.write(self.output())
f.close()
print("Done!")

PHP:

$user = escapeshellarg($_POST['user']);
$password = escapeshellarg($_POST['password']);
$command = './backup.py '.$user.' '.$password;
print(exec($command));

Actual result:

  1. Python does create a file in the desired directory but it remains empty. 2. Python never outputs "Done!" (Because permissions are denied)

Expected result:

  1. Python creates a file with data
  2. Python proceeds to print "Done!" which is output to the calling PHP script

I've done the following:

  1. www-data has group write permissions (drwxrwsr-x) for the directory ./backup
  2. The #!/usr/bin/env python3 shebang is present in the python file
  3. The python file is executable
  4. When I change to user www-data with sudo su www-data and then start the php commandline, and enter the above command invoking my Python script, the file is created correctly!
  5. If I start a builtin php server, it also works fine, only if the php script is handled through apache, it doesn't work
asked Dec 4, 2017 at 18:21
5
  • You might be over-escaping things here. The escapeshellarg calls should be sufficient. escapeshellcmd might add additional escaping that breaks things. Commented Dec 4, 2017 at 18:25
  • thanks for the suggestion, I removed the extra escapes. However the script still fails to write to the file. It seems to be able to create the file, so I think permissions are all right? Commented Dec 5, 2017 at 2:53
  • it works fine if the website is served through the php builtin server (php -S localhost:8000), but not if it is served through Apache Commented Dec 5, 2017 at 6:31
  • You should be using escapeshellarg like you did before. The second call to escapeshellcmd was the one that was erroneous. I'd test this with filenames like Program Files/(Untitled 2).txt and ; touch ~/hacked.txt Commented Dec 5, 2017 at 19:36
  • oh ok, thanks; changed. But in the end that was not what mattered, see my answer below. Commented Dec 6, 2017 at 2:03

1 Answer 1

1

I have officially wasted an entire day of my life on this.

The permissions were all right. What was happening is that the python script failed ONLY if it was being invoked through my php script and ONLY if that was being served by Apache.

Looking through the Apache error log revealed that the python script failed because it could not write bytes to the file and ascii conversion failed because there was unicode data in the output.

So doing f = open(filename, 'wb') solved the issue.

This behaviour was not observed on my development machine or through the built-in PHP server. Still wonder why there's a difference in file handling. Would appreciate an answer if anyone has one.

answered Dec 5, 2017 at 6:50
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.