ID: 31088
User updated by: vdlaag at natlab dot research dot philips dot com
Reported By: vdlaag at natlab dot research dot philips dot com
-Status: Feedback
+Status: Open
Bug Type: Program Execution
Operating System: RedHat 9.0
PHP Version: 5.0.2
New Comment:
I am afraid this was a bogus bug report. As Safe mode isa enabled,
every shell command is escaped. I found this later on in the
documentation. Although I find this a bit peculiar, it works as
designed. My problem occurs because the command is escaped.
I already solved by creating another shell script, that executes the
createRequest call. I call exec on this other shell script. Then it
works fine.
I am sorry to have troubled you with this. It turned out to be my own
error and not a bug in PHP.
Previous Comments:
------------------------------------------------------------------------
[2005-02-11 23:03:47] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc.
If possible, make the script source available online and provide
an URL to it here. Try to avoid embedding huge scripts into the report.
Please provide a reproduce code that we could run & replicate the
problem.
------------------------------------------------------------------------
[2004-12-14 14:32:47] vdlaag at natlab dot research dot philips dot com
Description:
------------
I have a command line tool that adds records to a database. This is the
only way for me to access this database.
The command line tool works as follows:
createRequest -p -i "value1" -l "value2" etc
Each option is followed by the value for the record.
The -p option is there so that the ID of the new inserted record is
returned to standard output.
At the command line this works fine. But as soon as a value contains a
& the exec function fails. When a value contains parentheses, they are
escaped (so that the escape characters are inserted in the database as
well).
The configure script for php:
'./configure' '--prefix=/usr/local/php5' '--enable-safe-mode'
'--with-apxs2=/usr/local/httpd/bin/apxs' '--with-gd'
'--with-mssql=/usr/local/freetds' '--with-pgsql=/usr/local/pgsql'
'--with-mysql=/usr/local/mysql' '--with-ldap=/usr/local/openldap'
'--with-png-dir=/usr/local/libpng' '--with-zlib-dir=/usr/local/zlib'
'--with-jpeg-dir=/usr/local/jpeg'
'--with-freetype-dir=/usr/local/freetype/include/freetype2/freetype'
'--with-curl=/usr/local/curl' '--with-mime-magic=/usr/share/magic.mime'
'--with-xslt-sablot=/usr/local/Sablot'
'--with-expat-dir=/usr/local/expat'
'--with-libxml-dir=/usr/local/libxml' '--with-pear'
I added the folder that holds the cretaeRequest tool to
safe_mode_exec_dir in php.ini
Reproduce code:
---------------
//These options go OK
$Options['-i'] = "Add user to group X";
$Options['-l'] = "vdlaag";
//This option makes the exec command fail
$Options['-O] = "IP&S";
//This option results in extra slashes
// it yields: Great stuff \(is it not\)
$Options['-a'] = "Great stuff (is it not)"
$Exec = $_SERVER['DOCUMENT_ROOT'] .
"/vdlaag/NewUserForm/IPS/createRequest -p";
foreach ($Options as $option => $value)
{
$Exec .= " " . $option . " '" . $value . "'";
}
$HDTCase = exec($Exec);
Expected result:
----------------
I expect to get a number back from the exec command. This happens OK if
there are no "weird" charachters in any of the values (like &).
Actual result:
--------------
It returns nothing and the rest of my script fails as a result.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=31088&edit=1
