php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44650 escaepshellscmd() does not check arg count
Submitted: 2008-04-06 08:40 UTC Modified: 2008-04-08 17:24 UTC
From: wharmby at uk dot ibm dot com Assigned: iliaa
Status: Closed Package: Scripting Engine problem
PHP Version: 5.2.6RC4 OS: Windows XP
Private report: No CVE-ID:
 [2008-04-06 08:40 UTC] wharmby at uk dot ibm dot com
Description:
------------
Calling escapeshellcmd() with more than 1 argument does not result in
expected warning msg; any spurious arguments are just ignored.

Suggest changing code to:  

PHP_FUNCTION(escapeshellcmd)
{
        zval **arg1;
        char *cmd = NULL;
 
        if (ZEND_NUM_ARGS()!=1 ||  zend_get_parameters_ex(1, &arg1) == FAILURE) 
        {
            WRONG_PARAM_COUNT;
        }
        
        convert_to_string_ex(arg1);
        if (Z_STRLEN_PP(arg1)) {
            cmd = php_escape_shell_cmd(Z_STRVAL_PP(arg1));
            RETVAL_STRING(cmd, 1);
            efree(cmd);
        }
}

or better still the following based on the code now in PHP 6 :

PHP_FUNCTION(escapeshellcmd)
{
    char *command
    int command_len;
    char *cmd = NULL;

   if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &command, &command_len) == FAILURE) {
        return;
    }
	
    if (command_len) {
	cmd = php_escape_shell_cmd(command);
	RETVAL_STRING(cmd, 0);
    } else {
        RETVAL_EMPTY_STRING();
    }
}

Reproduce code:
---------------
<?php
$command= "Mr O'Neil";
$extra_arg = 10;
var_dump( escapeshellcmd($command, $extra_arg) );
?>    

Expected result:
----------------
A warning msg. With suggested fix the following output will  result:

Warning:   escapeshellcmd() expects exactly 1 parameter, 2 given in  <...>  on line nn
NULL
  

Actual result:
--------------
Actual Output:
-------------------
string(9) "Mr O Neil"


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-04-06 13:55 UTC] iliaa@php.net
Will be fixed post 5.2.6
 [2008-04-08 17:24 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 15:02:26 2014 UTC