php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61440 proc_open() and shell escaping
Submitted: 2012-03-19 18:23 UTC Modified: 2021-02-08 14:14 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: aschulz4587 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Program Execution
PHP Version: 5.4.0 OS: Vista/Win 7
Private report: No CVE-ID: None
 [2012-03-19 18:23 UTC] aschulz4587 at gmail dot com
Description:
------------
proc_open() does not seem to handle shell escaping of the script paths properly.

Test script:
---------------
<?php

$pipes = array();
$process = proc_open(
        '"php" "--version"',
        #'php "--version"',
        array(
                0 => array( 'pipe', 'r' ), // input
                1 => array( 'pipe', 'w' ), // output
                2 => array( 'file', 'NUL', 'a' ) // error
        ),
        $pipes // respective outputs
);
 
fclose( $pipes[0] );
var_dump( stream_get_contents( $pipes[1] ) );
 
fclose( $pipes[1] );
proc_close($process);

Expected result:
----------------
$ php shelltest.php
string(147) "PHP 5.3.4 (cli) (built: Dec 16 2010 00:06:20)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
"

Actual result:
--------------
$ php shelltest.php
string(0) ""

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-19 18:24 UTC] aschulz4587 at gmail dot com
Note that this works if the bypass_shell flag it set. Also, popen() does not suffer from this problem.
 [2021-02-08 14:14 UTC] cmb@php.net
-Status: Open +Status: Closed -Package: CGI/CLI related +Package: Program Execution -Assigned To: +Assigned To: cmb
 [2021-02-08 14:14 UTC] cmb@php.net
This is fixed as of PHP 8.0.0[1], but that fix cannot be
backported for BC reasons.  If you need to go through the shell,
enclose the commandline in additional double-quotes, prior to PHP
8.0.0:

    '""php" "--version""',

[1] <https://github.com/php/php-src/commit/9ca449e0a803cb9d1d40fd6b83f2da1e6a7b46d9>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 08:01:27 2024 UTC