php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68599 exec()/passthru() function should use execv, execve
Submitted: 2014-12-12 23:02 UTC Modified: 2020-01-27 14:01 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: yohgaki@php.net Assigned: yohgaki (profile)
Status: Assigned Package: Program Execution
PHP Version: Irrelevant OS: ANY
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: yohgaki@php.net
New email:
PHP Version: OS:

 

 [2014-12-12 23:02 UTC] yohgaki@php.net
Description:
------------
I suppose pcntl module is not available because of signal handling.
https://bugs.php.net/bug.php?id=50116

Since exec() is using exec system call, exec() is extremely vulnerable to mistakes.    

Change

string exec ( string $command [, array &$output [, int &$return_var ]] )
void passthru ( string $command [, int &$return_var ] )

to 

string exec ( string $command [, array &$output [, int &$return_var [, $args [, $env]]]] )
void passthru ( string $command [, int &$return_var [, $args [, $env]]] )

Use evecv if $args is passed, use execve if $env is passed.
Any comments? Especially for windows?



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 08:29 UTC] stas@php.net
-Type: Security +Type: Feature/Change Request -Package: Unknown/Other Function +Package: Program Execution
 [2014-12-30 08:29 UTC] stas@php.net
Not sure why is it a security issue?
 [2015-01-22 22:03 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-01-22 22:03 UTC] yohgaki@php.net
Stas, it's not direct security issue since user may execute commands safely with exec.

However, writing secure command with arguments is not trivial work as it seems. execv, execve is much easier/safer than exec. It would be only master improvement. (It's security improvement, IMHO)

If no one objects, I'll write patch. Things that I'm not sure is why pcntl is enabled only in CLI. It's because signal handling I suppose. Is there any other reasons?
 [2015-01-23 05:12 UTC] pajoye@php.net
Not a security issue,remove private flag
 [2015-01-23 05:17 UTC] pajoye@php.net
I am not totally sure what this request tries to change or what you ask for windows.

The changes I see here are already supported with proc_open and the likes.

On windows it does not matter much as CreateProcess is used for all these functions and has the env parameter.
 [2015-02-03 07:10 UTC] yohgaki@php.net
@pajoye
The issue is escapeshellarg() has issues like non-ascii chars and there are too many shells. We don't really know how to escape perfectly for all shells. 

Instead of trying to escape right, we may just provide execv/execve.

I'll check proc_open() code and write patch. If it has issues on windows, please fix them :)
 [2020-01-27 14:01 UTC] cmb@php.net
For what it's worth, as of PHP 7.4.0 proc_open() also accepts an
array[1].

[1] <https://www.php.net/manual/en/migration74.new-features.php#migration74.new-features.standard.proc-open>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 22:01:26 2024 UTC