|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #68599 exec()/passthru() function should use execv, execve
Submitted: 2014-12-12 23:02 UTC Modified: 2015-02-03 07:10 UTC
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: Assigned: yohgaki (profile)
Status: Assigned Package: Program Execution
PHP Version: Irrelevant OS: ANY
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
46 + 33 = ?
Subscribe to this entry?

 [2014-12-12 23:02 UTC]
I suppose pcntl module is not available because of signal handling.

Since exec() is using exec system call, exec() is extremely vulnerable to mistakes.    


string exec ( string $command [, array &$output [, int &$return_var ]] )
void passthru ( string $command [, int &$return_var ] )


string exec ( string $command [, array &$output [, int &$return_var [, $args [, $env]]]] )
void passthru ( string $command [, int &$return_var [, $args [, $env]]] )

Use evecv if $args is passed, use execve if $env is passed.
Any comments? Especially for windows?


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2014-12-30 08:29 UTC]
-Type: Security +Type: Feature/Change Request -Package: Unknown/Other Function +Package: Program Execution
 [2014-12-30 08:29 UTC]
Not sure why is it a security issue?
 [2015-01-22 22:03 UTC]
-Assigned To: +Assigned To: yohgaki
 [2015-01-22 22:03 UTC]
Stas, it's not direct security issue since user may execute commands safely with exec.

However, writing secure command with arguments is not trivial work as it seems. execv, execve is much easier/safer than exec. It would be only master improvement. (It's security improvement, IMHO)

If no one objects, I'll write patch. Things that I'm not sure is why pcntl is enabled only in CLI. It's because signal handling I suppose. Is there any other reasons?
 [2015-01-23 05:12 UTC]
Not a security issue,remove private flag
 [2015-01-23 05:17 UTC]
I am not totally sure what this request tries to change or what you ask for windows.

The changes I see here are already supported with proc_open and the likes.

On windows it does not matter much as CreateProcess is used for all these functions and has the env parameter.
 [2015-02-03 07:10 UTC]
The issue is escapeshellarg() has issues like non-ascii chars and there are too many shells. We don't really know how to escape perfectly for all shells. 

Instead of trying to escape right, we may just provide execv/execve.

I'll check proc_open() code and write patch. If it has issues on windows, please fix them :)
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Sep 21 21:01:26 2019 UTC