php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #61440 proc_open() and shell escaping
Submitted: 2012-03-19 18:23 UTC Modified: 2021-02-08 14:14 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: aschulz4587 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Program Execution
PHP Version: 5.4.0 OS: Vista/Win 7
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: aschulz4587 at gmail dot com
New email:
PHP Version: OS:

 

 [2012-03-19 18:23 UTC] aschulz4587 at gmail dot com 
Description:
------------
proc_open() does not seem to handle shell escaping of the script paths properly.

Test script:
---------------
<?php

$pipes = array();
$process = proc_open(
        '"php" "--version"',
        #'php "--version"',
        array(
                0 => array( 'pipe', 'r' ), // input
                1 => array( 'pipe', 'w' ), // output
                2 => array( 'file', 'NUL', 'a' ) // error
        ),
        $pipes // respective outputs
);
 
fclose( $pipes[0] );
var_dump( stream_get_contents( $pipes[1] ) );
 
fclose( $pipes[1] );
proc_close($process);

Expected result:
----------------
$ php shelltest.php
string(147) "PHP 5.3.4 (cli) (built: Dec 16 2010 00:06:20)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
"

Actual result:
--------------
$ php shelltest.php
string(0) ""

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-19 18:24 UTC] aschulz4587 at gmail dot com 
Note that this works if the bypass_shell flag it set. Also, popen() does not suffer from this problem.
 [2021-02-08 14:14 UTC] cmb@php.net
-Status: Open +Status: Closed -Package: CGI/CLI related +Package: Program Execution -Assigned To: +Assigned To: cmb
 [2021-02-08 14:14 UTC] cmb@php.net 
This is fixed as of PHP 8.0.0[1], but that fix cannot be
backported for BC reasons.  If you need to go through the shell,
enclose the commandline in additional double-quotes, prior to PHP
8.0.0:

    '""php" "--version""',

[1] <https://github.com/php/php-src/commit/9ca449e0a803cb9d1d40fd6b83f2da1e6a7b46d9>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 11:01:30 2024 UTC