|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2009-10-12 16:57 UTC] soner at comixwall dot org
Description:
------------
When shell command returns a specially crafted string, I get an empty
array as $output of exec(), instead of the string. I can very easily
reproduce this issue, please see below for test code.
Reproduce code:
---------------
Put the following lines in bug.php:
<?php
exec('php echostr.php', $output);
print_r($output);
?>
Then put the contents at the following link in echostr.php:
http://comixwall.org/dmdocuments/echostr
Expected result:
----------------
When you execute bug.php, you will get an empty array printed out:
Array
(
)
Actual result:
--------------
Actually, $output should have contained the string above as element 0 of the array.
If you delete or add a character in the string, exec() runs correctly and you get the intended result. So the issue is specific to this special string.
The problem is not with the size of the string, because much longer strings are fine.
Also this issue does *not* exists with passthru(), shell_exec() functions and backtick operator. Furthermore, exec() return value, i.e. the last line of shell command output seems fine too (it contains the string correctly). So I believe the issue is internal to exec(), effecting $output contents only.
As you can guess, this string is in fact serialized openvpn startup log lines (I just escaped the single quotes for testing purposes, that's all), it is not some manually crafted string. Therefore, it is possible that I may get more than one similar situation in the future.
I have confirmed this issue on OpenBSD, Linux, and Windows. Here are the versions:
OpenBSD:
PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar 1 2009 10:26:06)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
Linux:
PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21 2009 21:43:13)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
Windows:
PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
Since Windows version is without Suhosin patch, suhosin as culprit is ruled out. (Also to test on Windows, I changed the exec shell command as 'php.exe echostr.php' of course.)
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 11:01:29 2024 UTC |
The trick is that the string which is output is 4095 bytes long. exec("printf %4095d 1", $output); print_r($output);From exec.c:125: while (php_stream_get_line(stream, ... b, EXEC_INPUT_BUF, &bufl)) { /* no new line found, let's read some more */ if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) { ... continue; ... add_next_index_stringl(array, buf, bufl, 1); php_stream_get_line reads all the data. No newline is found, because there is none. The reading has not yet triggered php_stream_eof, because reading has stopped just before the bytes ran out. Loop starts again. php_stream_get_line now reads no bytes at all, because no bytes are left. Loop quits without adding the string to the array.