php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73151 shell_exec could produce string larger than 2GB
Submitted: 2016-09-23 15:32 UTC Modified: 2017-02-13 01:17 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: Strings related
PHP Version: 5.6.26 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-09-23 15:32 UTC] nguyenluan dot vnn at gmail dot com 
Description:
------------
Function shell_exec declare total_readbytes as size_t then later check for total_readbytes > 0. This could lead to output string is larger than INTMAX.

PHP_FUNCTION(shell_exec)
{
	FILE *in;
	size_t total_readbytes;
	char *command;
	int command_len;
	char *ret;
	php_stream *stream;

	...
        ...

	stream = php_stream_fopen_from_pipe(in, "rb");
	total_readbytes = php_stream_copy_to_mem(stream, &ret, PHP_STREAM_COPY_ALL, 0);
	php_stream_close(stream);

	if (total_readbytes > 0) {
		RETVAL_STRINGL(ret, total_readbytes, 0);  <- could produce string larger than 2Gb
	}
}


Test script:
---------------
Python script to create test file:
#! /usr/bin/env python

f = open('html.html', 'w');
f.write('<html>')

for _ in range(0x100):
    f.write('<p>')
    for _ in range(0x100):
        f.write('a'*(0x8000))
    f.write('</p>')

f.write('</html>')
f.close()


PHP script:
<?php
    ini_set("memory_limit", -1);
    
    $str = shell_exec('python -c "f = open(\'html.html\');data=f.read();f.close();print data"');
    
    var_dump(strlen($str));
?>

Expected result:
----------------
No string returned.

Actual result:
--------------
gdb-peda$ r ../test/string/test_shellexec.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test_shellexec.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New process 13361]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 13361 is executing new program: /bin/dash
[New process 13362]
process 13362 is executing new program: /usr/bin/python2.7
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Inferior 3 (process 13362) exited normally]

int(-2147481842) <- string larger than 2Gb

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-26 03:00 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-26 03:00 UTC] stas@php.net 
Doesn't look like security issue, shell_exec return is not something that would be remotely-controlled.
 [2016-09-26 12:50 UTC] nguyenluan dot vnn at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-09-26 12:50 UTC] nguyenluan dot vnn at gmail dot com 
PHP 5 does not allow any string could larger than 2Gb.

Like this bug https://bugs.php.net/bug.php?id=72807, I think this should be considered as security issue.
 [2016-11-04 05:55 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 05:55 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2017-02-13 01:17 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 17:01:58 2024 UTC