ID: 44801
Updated by: [EMAIL PROTECTED]
Reported By: twm at twmacinta dot com
-Status: Open
+Status: Feedback
Bug Type: CGI related
Operating System: Red Hat Enterprise Linux ES 3
PHP Version: 5.2.5
Assigned To: fb-req-jani
New Comment:
Using --enable-safe-mode makes the default be "on". (without this
configure option it defaults to "off").
And in the manual it is mentioned that: "Warning:
With safe mode enabled, the command string is escaped with
escapeshellcmd(). Thus, echo y | echo x becomes echo y \| echo x."
The question remains: Did you really turn off safe-mode in php.ini and
was it really turned off? (check with phpinfo())
Previous Comments:
------------------------------------------------------------------------
[2008-04-24 19:48:19] twm at twmacinta dot com
Aha, that set off a spark. I think I found something useful...
The test script actually worked when I tried this:
./configure --disable-all --disable-cgi
Then, I tried no flags at all, and it still worked:
./configure
So I went through all of the flags I used originally and discovered
that the problem appears when all I add is the safe-mode flag:
./configure --enable-safe-mode
Here's the output:
----
Before: 'Tim'\''s Test'
After: sh: line 1: /usr/local/php/bin/echo: No such file or directory
----
Note that it was looking for "echo" at a different path. When I
created the directory that it was looking for and copied "echo" there,
then I got the same incorrect output as before:
----
Before: 'Tim'\''s Test'
After: Tim\s Test'
----
So the problem occurs when safe-mode is compiled into the executable
even though I am not using safe mode when running the script. I'm using
"php -n" which should avoid safe mode (right?) and my "php.ini" also
turns safe mode off. I checked the other versions of PHP which I
reported on earlier, and the versions which behaved incorrectly had safe
mode compiled in but turned off, and those that behaved correctly did
not have safe mode compiled in at all.
------------------------------------------------------------------------
[2008-04-24 18:01:39] [EMAIL PROTECTED]
Can you try with this instead:
# rm -f config.cache
# ./configure --disable-all --disable-cgi
ie. Eliminate everything but the core. :)
------------------------------------------------------------------------
[2008-04-24 17:52:47] twm at twmacinta dot com
I was actually using the "-n" flag from the start, so that moving part
was already eliminated.
Here are my "./configure" and "make install" commands:
----
CONF_OLD_PREFIX=/usr
CONF_PREFIX=/var/tmp2/php5_take2/targ
CONF_SYSCONFDIR=${CONF_PREFIX}/etc
CONF_BINDIR=${CONF_PREFIX}/bin
./configure \
--prefix=${CONF_PREFIX} \
--with-config-file-path=${CONF_SYSCONFDIR} \
--enable-force-cgi-redirect \
--enable-fastcgi \
--disable-debug \
--enable-pic \
--disable-rpath \
--enable-inline-optimization \
--with-bz2 \
--with-curl \
--with-dom=${CONF_PREFIX} \
--with-exec-dir=${CONF_BINDIR} \
--with-freetype-dir=${CONF_PREFIX} \
--with-png-dir=${CONF_PREFIX} \
--with-gd \
--enable-gd-native-ttf \
--with-ttf \
--with-gdbm \
--with-gettext \
--with-db4 \
--with-ncurses \
--with-gmp \
--with-iconv \
--with-jpeg-dir=${CONF_PREFIX} \
--with-mm \
--with-openssl \
--with-png \
--with-pspell \
--with-regex=system \
--with-xml \
--with-domxml \
--with-expat-dir=${CONF_PREFIX} \
--with-zlib \
--with-layout=GNU \
--enable-mcal \
--enable-bcmath \
--enable-debugger \
--enable-exif \
--enable-ftp \
--enable-magic-quotes \
--enable-safe-mode \
--enable-sockets \
--enable-sysvsem \
--enable-sysvshm \
--enable-discard-path \
--enable-track-vars \
--enable-trans-sid \
--enable-yp \
--enable-wddx \
--without-oci8 \
--with-imap=shared \
--with-mcrypt \
--with-imap-ssl \
--with-kerberos=/usr/kerberos \
--with-ldap=shared \
--with-mysql=shared,${CONF_PREFIX} \
--with-pgsql=shared \
--with-snmp=shared,${CONF_PREFIX} \
--with-snmp=shared \
--enable-net-snmp-hack \
--with-unixODBC=shared,${CONF_OLD_PREFIX} \
--enable-memory-limit \
--enable-bcmath \
--enable-shmop \
--enable-versioning \
--enable-calendar \
--enable-dbx \
--enable-dio \
--enable-mbstring \
--enable-mbstr-enc-trans
make install INSTALL_ROOT=/var/tmp2/php5_take2/targ
------------------------------------------------------------------------
[2008-04-24 17:44:49] [EMAIL PROTECTED]
Next obvious question is: How did you build PHP? ie. What configure
line, etc. Also to eliminate every last moving parts: run the script
like this:
# php -n script.php
------------------------------------------------------------------------
[2008-04-24 17:23:47] twm at twmacinta dot com
Good idea. I modified my test script as suggested. Here's the output
on RHEL3 with the CVS snapshot php5.2-20080423123:
----
Before: 'Tim'\''s Test'
After: sh: line 1: /var/tmp2/php5_take2/targ/bin/Tim\s: No such file or
directory
----
In case you're wondering about the path, I set "./configure --prefix"
to "/var/tmp2/php5_take2/targ" so that I could install it there and test
it before overwriting my old PHP 4 installation. PHP 4 on the same
machine gives the same output as above, except that it's the usual
"/usr/bin/" path.
For comparison, here's the output on my other RHEL3 server which has
the latest, default version of PHP 4.3 from Red Hat:
----
Before: 'Tim'\''s Test'
After: sh: line 1: /usr/bin/'Tim'\''s: No such file or directory
----
I also ran the revised test on Mac OS X 10.5, which has PHP 5.2.5, to
get what is the correct output (i.e., what you got):
----
Before: 'Tim'\''s Test'
After: sh: Tim's Test: command not found
----
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/44801
--
Edit this bug report at http://bugs.php.net/?id=44801&edit=1
