|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68599 exec()/passthru() function should use execv, execve
Submitted: 2014-12-12 23:02 UTC Modified: 2020-01-27 14:01 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: Assigned: yohgaki (profile)
Status: Assigned Package: Program Execution
PHP Version: Irrelevant OS: ANY
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-12-12 23:02 UTC]
I suppose pcntl module is not available because of signal handling.

Since exec() is using exec system call, exec() is extremely vulnerable to mistakes.    


string exec ( string $command [, array &$output [, int &$return_var ]] )
void passthru ( string $command [, int &$return_var ] )


string exec ( string $command [, array &$output [, int &$return_var [, $args [, $env]]]] )
void passthru ( string $command [, int &$return_var [, $args [, $env]]] )

Use evecv if $args is passed, use execve if $env is passed.
Any comments? Especially for windows?


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 08:29 UTC]
-Type: Security +Type: Feature/Change Request -Package: Unknown/Other Function +Package: Program Execution
 [2014-12-30 08:29 UTC]
Not sure why is it a security issue?
 [2015-01-22 22:03 UTC]
-Assigned To: +Assigned To: yohgaki
 [2015-01-22 22:03 UTC]
Stas, it's not direct security issue since user may execute commands safely with exec.

However, writing secure command with arguments is not trivial work as it seems. execv, execve is much easier/safer than exec. It would be only master improvement. (It's security improvement, IMHO)

If no one objects, I'll write patch. Things that I'm not sure is why pcntl is enabled only in CLI. It's because signal handling I suppose. Is there any other reasons?
 [2015-01-23 05:12 UTC]
Not a security issue,remove private flag
 [2015-01-23 05:17 UTC]
I am not totally sure what this request tries to change or what you ask for windows.

The changes I see here are already supported with proc_open and the likes.

On windows it does not matter much as CreateProcess is used for all these functions and has the env parameter.
 [2015-02-03 07:10 UTC]
The issue is escapeshellarg() has issues like non-ascii chars and there are too many shells. We don't really know how to escape perfectly for all shells. 

Instead of trying to escape right, we may just provide execv/execve.

I'll check proc_open() code and write patch. If it has issues on windows, please fix them :)
 [2020-01-27 14:01 UTC]
For what it's worth, as of PHP 7.4.0 proc_open() also accepts an

[1] <>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 15 21:01:28 2024 UTC