|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68599 exec()/passthru() function should use execv, execve
Submitted: 2014-12-12 23:02 UTC Modified: 2020-01-27 14:01 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: Assigned: yohgaki (profile)
Status: Assigned Package: Program Execution
PHP Version: Irrelevant OS: ANY
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2014-12-12 23:02 UTC]
I suppose pcntl module is not available because of signal handling.

Since exec() is using exec system call, exec() is extremely vulnerable to mistakes.    


string exec ( string $command [, array &$output [, int &$return_var ]] )
void passthru ( string $command [, int &$return_var ] )


string exec ( string $command [, array &$output [, int &$return_var [, $args [, $env]]]] )
void passthru ( string $command [, int &$return_var [, $args [, $env]]] )

Use evecv if $args is passed, use execve if $env is passed.
Any comments? Especially for windows?


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 08:29 UTC]
-Type: Security +Type: Feature/Change Request -Package: Unknown/Other Function +Package: Program Execution
 [2014-12-30 08:29 UTC]
Not sure why is it a security issue?
 [2015-01-22 22:03 UTC]
-Assigned To: +Assigned To: yohgaki
 [2015-01-22 22:03 UTC]
Stas, it's not direct security issue since user may execute commands safely with exec.

However, writing secure command with arguments is not trivial work as it seems. execv, execve is much easier/safer than exec. It would be only master improvement. (It's security improvement, IMHO)

If no one objects, I'll write patch. Things that I'm not sure is why pcntl is enabled only in CLI. It's because signal handling I suppose. Is there any other reasons?
 [2015-01-23 05:12 UTC]
Not a security issue,remove private flag
 [2015-01-23 05:17 UTC]
I am not totally sure what this request tries to change or what you ask for windows.

The changes I see here are already supported with proc_open and the likes.

On windows it does not matter much as CreateProcess is used for all these functions and has the env parameter.
 [2015-02-03 07:10 UTC]
The issue is escapeshellarg() has issues like non-ascii chars and there are too many shells. We don't really know how to escape perfectly for all shells. 

Instead of trying to escape right, we may just provide execv/execve.

I'll check proc_open() code and write patch. If it has issues on windows, please fix them :)
 [2020-01-27 14:01 UTC]
For what it's worth, as of PHP 7.4.0 proc_open() also accepts an

[1] <>
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Apr 24 03:01:29 2024 UTC