php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #68599 exec()/passthru() function should use execv, execve
Submitted: 2014-12-12 23:02 UTC Modified: 2020-01-27 14:01 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Assigned Package: Program Execution
PHP Version: Irrelevant OS: ANY
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yohgaki@php.net
New email:
PHP Version: OS:

 

 [2014-12-12 23:02 UTC] yohgaki@php.net 
Description:
------------
I suppose pcntl module is not available because of signal handling.
https://bugs.php.net/bug.php?id=50116

Since exec() is using exec system call, exec() is extremely vulnerable to mistakes.    

Change

string exec ( string $command [, array &$output [, int &$return_var ]] )
void passthru ( string $command [, int &$return_var ] )

to 

string exec ( string $command [, array &$output [, int &$return_var [, $args [, $env]]]] )
void passthru ( string $command [, int &$return_var [, $args [, $env]]] )

Use evecv if $args is passed, use execve if $env is passed.
Any comments? Especially for windows?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 08:29 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request -Package: Unknown/Other Function +Package: Program Execution
 [2014-12-30 08:29 UTC] stas@php.net 
Not sure why is it a security issue?
 [2015-01-22 22:03 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-01-22 22:03 UTC] yohgaki@php.net 
Stas, it's not direct security issue since user may execute commands safely with exec.

However, writing secure command with arguments is not trivial work as it seems. execv, execve is much easier/safer than exec. It would be only master improvement. (It's security improvement, IMHO)

If no one objects, I'll write patch. Things that I'm not sure is why pcntl is enabled only in CLI. It's because signal handling I suppose. Is there any other reasons?
 [2015-01-23 05:12 UTC] pajoye@php.net 
Not a security issue,remove private flag
 [2015-01-23 05:17 UTC] pajoye@php.net 
I am not totally sure what this request tries to change or what you ask for windows.

The changes I see here are already supported with proc_open and the likes.

On windows it does not matter much as CreateProcess is used for all these functions and has the env parameter.
 [2015-02-03 07:10 UTC] yohgaki@php.net 
@pajoye
The issue is escapeshellarg() has issues like non-ascii chars and there are too many shells. We don't really know how to escape perfectly for all shells. 

Instead of trying to escape right, we may just provide execv/execve.

I'll check proc_open() code and write patch. If it has issues on windows, please fix them :)
 [2020-01-27 14:01 UTC] cmb@php.net 
For what it's worth, as of PHP 7.4.0 proc_open() also accepts an
array[1].

[1] <https://www.php.net/manual/en/migration74.new-features.php#migration74.new-features.standard.proc-open>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 18:01:29 2024 UTC