ID: 18291
Comment by: soren at vejrum dot dk
Reported By: php dot hc at saustrup dot net
Status: Verified
Bug Type: Program Execution
Operating System: RedHat Linux 7.3
PHP Version: 4.3.0-dev
New Comment:
Same/similar problem in PHP 3.1.0 (on RedHat Linux 7.2).
Previous Comments:
------------------------------------------------------------------------
[2002-07-19 20:56:56] [EMAIL PROTECTED]
Seems like safe-mode does mess up the parameters.
I'm not sure if this is actually the correct behaviour...
------------------------------------------------------------------------
[2002-07-19 20:09:28] php dot hc at saustrup dot net
I tried what you suggested, and this is what came out:
Script 1: "213
Script 2: 213
I'm a security freak, so I have safe_mode enabled. Apparently safe_mode
is infact the cause of this error, because when I disabled it in
php.ini, the two scripts worked like you suggested:
Script 1: 213 123
Script 2: 213
Please test this yourself and post the results.
------------------------------------------------------------------------
[2002-07-12 18:51:52] [EMAIL PROTECTED]
FYI: PHP uses popen(), not execve()..
In 4.2.1 there is pcntl_exec() which behaves similarly to
the system execve. Maybe that's what you want to use..?
Try these scripts:
shell_args_1arg.php:
<?php echo exec('./test.sh "213 123"'); ?>
shell_args_2arg.php:
<?php echo exec('./test.sh 213 123'); ?>
test.sh:
<----8<---->
#!/bin/sh
echo $1
<----8<---->
------------------------------------------------------------------------
[2002-07-12 08:31:07] php dot hc at saustrup dot net
And just to make it perfectly clear what arguments my binary is
getting:
Arg1: 1
Arg2: 2
Arg3: 3
Arg4: "a
Arg5: b
Arg6: c"
Arg7: 4
Arg8: 5
Arg9: 6
------------------------------------------------------------------------
[2002-07-12 08:28:20] php dot hc at saustrup dot net
As far as I can see, it's not even required by the exec()'ing user to
have a valid shell in /etc/passwd, so I very much expect that the
binary is being exec()'d directly, without the use of a shell.
If you check out the man page for the execve() function, you'll see
that arguments are actually submitted as an array, and not as a whole
string. If they were infact passed through a shell (I believe the
backticks and passthru() does this), escapeshellarg() might have been
the solution - but not in this case. I tried it, but exec() apparently
still splits up the string where it finds whitespaces (escaped or not),
and passes it on to ie. execve().
And just to make it perfectly clear what I want:
Binary: /usr/bin/binary
Arg1: 1
Arg2: 2
Arg3: 3
Arg4: a b c
Arg5: 4
Arg6: 5
Arg7: 6
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/18291
--
Edit this bug report at http://bugs.php.net/?id=18291&edit=1
