|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #13843 add the execv functionality to PHP
Submitted: 2001-10-26 21:29 UTC Modified: 2010-12-31 21:21 UTC
Avg. Score:4.6 ± 0.7
Reproduced:9 of 9 (100.0%)
Same Version:3 (33.3%)
Same OS:7 (77.8%)
From: a dot genkin at toronto dot edu Assigned:
Status: Not a bug Package: Program Execution
PHP Version: 4.0.6 OS: Unix
Private report: No CVE-ID: None
 [2001-10-26 21:29 UTC] a dot genkin at toronto dot edu
4.0.6 (safe mode), Apache 1.3.20, running as server module, under Solaris 8/Sparc

When passing arguments to an executable with either exec(), system() or passthru(), special shell characters are escaped automatically, and I have no control over it.  As a result, I am unable to pass to the executable a paramter containing white space (such as a file name with spaces), because I cannot surround it with quotes or backslash the spaces (the automatic escaping protects the quotes or backslash from the shell).

Another consequence is that I cannot use shell redirection symbols (e.g. 2>&1): they get escaped, too, and the executable receives the string "2>&1" as one of its parameters.

If I use escapeshellarg() for each argument (as I should), the single quotes, put arround the argument by that function, are passed over as part of the argument.  For example:

$arg = escapeshellarg("/var/www/data/foo bar.txt");
passthru( "/var/www/bin/myprog $arg" );

Produces the following output from myprog:

'/var/www/data/foo: No such file or directory
bar.txt': No such file or directory

I suspect that this bug may be specific to Solaris, since I could not reproduce the same behaviour under identical configuration under FreeBSD.

Hoping for a fix in the upcoming release,
Arcady Genkin


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2001-10-29 16:09 UTC] a dot genkin at toronto dot edu
I've looked into this further, and here's the scoop.  Under safe mode, php uses php_escape_shell_cmd() function to escape any command passed to program execution functions.  As a result, if I pass a command like this:

  /www/bin/foo "bar c" 2>&1

it will turn it into

  /www/bin/foo \"bar c\" 2\>\&1
I, as a PHP developer, have no control over this under safe mode.  Among other things, this means that I cannot pass my program an argument, containing spaces, nor can I use shell redirection machinery.

I propose a patch like below to inhibit this automatic escaping.

diff -rc php-4.0.6-orig/ext/standard/exec.c php-4.0.6/ext/standard/exec.c
*** php-4.0.6-orig/ext/standard/exec.c  Mon Apr 30 08:43:39 2001
--- php-4.0.6/ext/standard/exec.c       Mon Oct 29 15:31:06 2001
*** 92,100 ****
                        *c = ' ';
                        strncat(d, c, overflow_limit);
-               tmp = php_escape_shell_cmd(d);
-               efree(d);
-               d = tmp;
                sig_handler = signal (SIGCHLD, SIG_DFL);
--- 92,97 ----

 [2001-10-29 16:14 UTC]
Well, not being able to use shell redirection and command line args in safe-mode makes a lot of sense.  You could trivially circumvent the safe-mode restrictions if you were allowed to do this.  Basically safe-mode only allows system calls to very limited things.  Basically prepared scripts placed in the safe-mode-exec-dir.  I don't see how we could allow arguments and redirects and still maintain the point behind safe-mode.
 [2001-10-29 16:14 UTC] a dot genkin at toronto dot edu
I forgot to add that it appears that this bug is not Solaris-specific, but, rather, safe mode specific.
 [2001-10-29 16:23 UTC] a dot genkin at toronto dot edu
Rasmus, what you are saying about shell redirection being a threat under safe mode makes sesnse.  But how about being able to pass parameters with spaces in them?  I cannot see any security implication in that...

In any case, I want to be able to read standard error from the command I'm executing...

How about providing a PHP variant of C's execv() in PHP, so that I could pass it an array of parameters?  And, perhaps, add a flag to existing program execution functions to duplicate standard error to standard in.
 [2001-10-29 16:27 UTC] a dot genkin at toronto dot edu
Rats! I meant to say "to standard out" in the last sentence.
 [2002-01-24 04:44 UTC] veins at skreel dot org
I understand that pipes and redirections could break the point of using safe_mode but, what I can't understand, is how a space in an argument can make the system vulnerable...
 [2002-01-24 04:52 UTC]
The space is usually not a problem, but a ; is.
However execv is a nice idea, making this into a feature request.

 [2005-08-20 01:14 UTC] cira at mercenarylabs dot com
After much configuration, I was able to write a dynamic shell script containing shell redirection symbols, and then run the script using exec(), system(), or passthru().

It's not the best solution, but if you wish to run more complex calls to the system in safe mode, dump the commands to a file and then use PHP to exec that file.

 [2010-12-31 21:21 UTC]
-Status: Open +Status: Bogus -Package: Feature/Change Request +Package: Program Execution
 [2010-12-31 21:21 UTC]
Same as bug #10937 is about.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Nov 29 06:01:28 2023 UTC