php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61440 proc_open() and shell escaping
Submitted: 2012-03-19 18:23 UTC Modified: -
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: aschulz4587 at gmail dot com Assigned:
Status: Open Package: CGI/CLI related
PHP Version: 5.4.0 OS: Vista/Win 7
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2012-03-19 18:23 UTC] aschulz4587 at gmail dot com
Description:
------------
proc_open() does not seem to handle shell escaping of the script paths properly.

Test script:
---------------
<?php

$pipes = array();
$process = proc_open(
        '"php" "--version"',
        #'php "--version"',
        array(
                0 => array( 'pipe', 'r' ), // input
                1 => array( 'pipe', 'w' ), // output
                2 => array( 'file', 'NUL', 'a' ) // error
        ),
        $pipes // respective outputs
);
 
fclose( $pipes[0] );
var_dump( stream_get_contents( $pipes[1] ) );
 
fclose( $pipes[1] );
proc_close($process);

Expected result:
----------------
$ php shelltest.php
string(147) "PHP 5.3.4 (cli) (built: Dec 16 2010 00:06:20)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
"

Actual result:
--------------
$ php shelltest.php
string(0) ""

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-19 18:24 UTC] aschulz4587 at gmail dot com
Note that this works if the bypass_shell flag it set. Also, popen() does not suffer from this problem.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC