php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #18291 exec() arguments (+suggested solution)
Submitted: 2002-07-11 22:44 UTC Modified: 2003-08-05 15:17 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: php dot hc at saustrup dot net Assigned:
Status: Closed Package: Program Execution
PHP Version: 4.3.3RC2-dev OS: RedHat Linux 7.3
Private report: No CVE-ID:
 [2002-07-11 22:44 UTC] php dot hc at saustrup dot net
This kept me up all night :-) I needed to pass a textstring to an external program, and did something like this in PHP:

exec('/usr/bin/binary 1 2 3 "a b c" 4 5 6');

It kept screwing up, and after debugging it I realized that the exec() function actually called /usr/bin/binary with 9 arguments, and not 7 as I thought it would. Apparently PHP's exec() just splits up the string where it finds whitespaces and thinks they're different arguments. I'm not sure about the proper solution, but it would be awesome with a more "strict" exec()-like function that could work something like this:

newexec('/usr/bin/binary',array('1','2','3','a b c','4','5','6'));

That way, there would be NO doubt about the arguments :-)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-12 18:51 UTC] sniper@php.net
FYI: PHP uses popen(), not execve()..

In 4.2.1 there is pcntl_exec() which behaves similarly to
the system execve. Maybe that's what you want to use..?


Try these scripts:

shell_args_1arg.php:
<?php echo exec('./test.sh "213 123"'); ?>

shell_args_2arg.php:
<?php echo exec('./test.sh 213 123'); ?>

test.sh:
<----8<---->
#!/bin/sh

echo $1
<----8<---->


 [2002-07-19 20:09 UTC] php dot hc at saustrup dot net
I tried what you suggested, and this is what came out:

Script 1: "213
Script 2: 213

I'm a security freak, so I have safe_mode enabled. Apparently safe_mode is infact the cause of this error, because when I disabled it in php.ini, the two scripts worked like you suggested:

Script 1: 213 123
Script 2: 213

Please test this yourself and post the results.
 [2002-07-19 20:56 UTC] sniper@php.net
Seems like safe-mode does mess up the parameters.
I'm not sure if this is actually the correct behaviour...

 [2003-07-10 21:46 UTC] sniper@php.net
Here you can find possible fix for this problem: http://www.netwake.de/bug18291.diff

(thanks to Thomas Lamy)

 [2003-08-05 15:17 UTC] iliaa@php.net
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC