php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #68598 pcntl_exec() should not allow null char
Submitted: 2014-12-12 22:51 UTC Modified: 2015-05-19 11:22 UTC
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Closed Package: PCNTL related
PHP Version: Irrelevant OS: ANY
Private report: No CVE-ID: 2015-4026
 [2014-12-12 22:51 UTC] yohgaki@php.net
Description:
------------
pcnt_exec() does not check path validity. It should not allow NULL char, just like other file related functions.

I think exec() should not allow NULL char, too.

I'll prepare the patch.
Any comments?


Test script:
---------------
<?php
$path = "/bin/rm\0/usr/local/bin/my_special_program";
$opts = array('my_important_file');
if (!mb_ereg('my_special_program\z', $path)) {
   die('Go away');
}

pcntl_exec($path, $opts);




Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-29 01:30 UTC] yohgaki@php.net
-Summary: pcntl_exec() should allow null char +Summary: pcntl_exec() should not allow null char
 [2015-05-15 09:43 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki
 [2015-05-15 09:43 UTC] yohgaki@php.net
fixed in PHP 5.4.41/5.5.25/5.6.9
 [2015-05-19 05:34 UTC] laruence@php.net
-CVE-ID: +CVE-ID: 2015-402
 [2015-05-19 11:22 UTC] kaplan@php.net
-CVE-ID: 2015-402 +CVE-ID: 2015-4026
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 03 17:01:26 2024 UTC