#48729 [Com]: proc_open doesn't read from stdin
ID: 48729 Comment by: kripper3 at hotmail dot com Reported By: kripper at imatronix dot cl Status: Feedback Bug Type: Streams related Operating System: Windows XP SP3 PHP Version: 5.2.10 Assigned To: pajoye New Comment: It works on 5.3 (CVS), only with php.exe. Thanks. Previous Comments: [2009-07-03 16:22:21] paj...@php.net Please try using CLI, not cgi. [2009-07-03 16:19:46] kripper3 at hotmail dot com Tested on PHP 5.3 (5.3.1-dev) (CVS), released 2009-Jul-03 17:00:00. proc_open() is still not able to read from stdin on windows, when running PHP from a DOS shell. [2009-06-30 07:52:33] paj...@php.net Please try using this CVS snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2009-06-30 05:16:57] kripper3 at hotmail dot com HINT for reproducing: 1) Download plink.exe (http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe) to C:\ for testing a command which expects stdin. 2) Copy this script to C:\test.php --- fopen('php://stdin', 'r'), 1 => fopen('php://stdout', 'w'), 2 => array("file", "C:\\error-output.txt", "a") ); $cmd = "C:\\plink.exe r...@hostifex.com"; $process = proc_open($cmd, $espec_descriptor, $pipes); if (is_resource($process)) { echo "The command was supposed to prompt the password (it works on 5.1.2)\n"; proc_close($process); } else { echo "Trivial Error. Please check your setup for reproducing the problem.\n"; } ?> --- 3) Execute in DOS Shell: C:\PHP\php-cgi.exe C:\test.php 4) A prompt reading from stdin is expected (but fails con 5.2.x). It works with: http://museum.php.net/php5/php-5.1.2-Win32.zip 5) Check the C:\error-output.txt if you get other results. 6) (Cleaning) Delete C:\Test.php and C:\error-output.txt. Thanks. [2009-06-30 03:35:07] kripper at imatronix dot cl Description: proc_open() doesn't read from stdin, when running PHP from console. Reproduce code works on PHP 5.1.2. popen works, but seems not to be suited for running interactive shell commands from PHP. Console scripts trying to run interactive commands will fail. Reproduce code: --- $espec_descriptor = array( 0 => fopen('php://stdin', 'r'), 1 => fopen('php://stdout', 'w'), 2 => array("file", "C:\\error-output.txt", "a") ); $cmd = ""; $process = proc_open($cmd, $espec_descriptor, $pipes); if (is_resource($process)) { set_time_limit(0); return proc_close($process); } else { return -1; } Expected result: proc_open() should run the command and allow it to read from stdin. Actual result: -- Commands fail to read from stdin and close inmediatly. -- Edit this bug report at http://bugs.php.net/?id=48729&edit=1
#48729 [Com]: proc_open doesn't read from stdin
ID: 48729 Comment by: kripper3 at hotmail dot com Reported By: kripper at imatronix dot cl Status: Feedback Bug Type: Streams related Operating System: Windows XP SP3 PHP Version: 5.2.10 Assigned To: pajoye New Comment: Tested on PHP 5.3 (5.3.1-dev) (CVS), released 2009-Jul-03 17:00:00. proc_open() is still not able to read from stdin on windows, when running PHP from a DOS shell. Previous Comments: [2009-06-30 07:52:33] paj...@php.net Please try using this CVS snapshot: http://snaps.php.net/php5.3-latest.tar.gz For Windows: http://windows.php.net/snapshots/ [2009-06-30 05:16:57] kripper3 at hotmail dot com HINT for reproducing: 1) Download plink.exe (http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe) to C:\ for testing a command which expects stdin. 2) Copy this script to C:\test.php --- fopen('php://stdin', 'r'), 1 => fopen('php://stdout', 'w'), 2 => array("file", "C:\\error-output.txt", "a") ); $cmd = "C:\\plink.exe r...@hostifex.com"; $process = proc_open($cmd, $espec_descriptor, $pipes); if (is_resource($process)) { echo "The command was supposed to prompt the password (it works on 5.1.2)\n"; proc_close($process); } else { echo "Trivial Error. Please check your setup for reproducing the problem.\n"; } ?> --- 3) Execute in DOS Shell: C:\PHP\php-cgi.exe C:\test.php 4) A prompt reading from stdin is expected (but fails con 5.2.x). It works with: http://museum.php.net/php5/php-5.1.2-Win32.zip 5) Check the C:\error-output.txt if you get other results. 6) (Cleaning) Delete C:\Test.php and C:\error-output.txt. Thanks. [2009-06-30 03:35:07] kripper at imatronix dot cl Description: proc_open() doesn't read from stdin, when running PHP from console. Reproduce code works on PHP 5.1.2. popen works, but seems not to be suited for running interactive shell commands from PHP. Console scripts trying to run interactive commands will fail. Reproduce code: --- $espec_descriptor = array( 0 => fopen('php://stdin', 'r'), 1 => fopen('php://stdout', 'w'), 2 => array("file", "C:\\error-output.txt", "a") ); $cmd = ""; $process = proc_open($cmd, $espec_descriptor, $pipes); if (is_resource($process)) { set_time_limit(0); return proc_close($process); } else { return -1; } Expected result: proc_open() should run the command and allow it to read from stdin. Actual result: -- Commands fail to read from stdin and close inmediatly. -- Edit this bug report at http://bugs.php.net/?id=48729&edit=1
#48729 [Com]: proc_open doesn't read from stdin
ID: 48729 Comment by: kripper3 at hotmail dot com Reported By: kripper at imatronix dot cl Status: Open Bug Type: Streams related Operating System: Windows XP SP3 PHP Version: 5.2.10 New Comment: HINT for reproducing: 1) Download plink.exe (http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe) to C:\ for testing a command which expects stdin. 2) Copy this script to C:\test.php --- fopen('php://stdin', 'r'), 1 => fopen('php://stdout', 'w'), 2 => array("file", "C:\\error-output.txt", "a") ); $cmd = "C:\\plink.exe r...@hostifex.com"; $process = proc_open($cmd, $espec_descriptor, $pipes); if (is_resource($process)) { echo "The command was supposed to prompt the password (it works on 5.1.2)\n"; proc_close($process); } else { echo "Trivial Error. Please check your setup for reproducing the problem.\n"; } ?> --- 3) Execute in DOS Shell: C:\PHP\php-cgi.exe C:\test.php 4) A prompt reading from stdin is expected (but fails con 5.2.x). It works with: http://museum.php.net/php5/php-5.1.2-Win32.zip 5) Check the C:\error-output.txt if you get other results. 6) (Cleaning) Delete C:\Test.php and C:\error-output.txt. Thanks. Previous Comments: [2009-06-30 03:35:07] kripper at imatronix dot cl Description: proc_open() doesn't read from stdin, when running PHP from console. Reproduce code works on PHP 5.1.2. popen works, but seems not to be suited for running interactive shell commands from PHP. Console scripts trying to run interactive commands will fail. Reproduce code: --- $espec_descriptor = array( 0 => fopen('php://stdin', 'r'), 1 => fopen('php://stdout', 'w'), 2 => array("file", "C:\\error-output.txt", "a") ); $cmd = ""; $process = proc_open($cmd, $espec_descriptor, $pipes); if (is_resource($process)) { set_time_limit(0); return proc_close($process); } else { return -1; } Expected result: proc_open() should run the command and allow it to read from stdin. Actual result: -- Commands fail to read from stdin and close inmediatly. -- Edit this bug report at http://bugs.php.net/?id=48729&edit=1
#42116 [NEW]: Safe eval()
From: kripper3 at hotmail dot com Operating system: Irrelevant PHP version: 5.2.3 PHP Bug Type: Feature/Change Request Bug description: Safe eval() Description: eval($code) makes it possible to execute PHP code. It becames usefull when $code is provided dynamically (by the user of the application). For example, in order to compute a math expression provided by the user via a Web Interface. A lot of applications are using eval() this way. The problem is that eval() is not safe, and makes it possible to inject code. For example, instead of providing a math expression, I could provide code for listing files, get the content of the scripts and obtain hardcoded passwords. On http://www.php.net/manual/en/function.eval.php#75389 someone proposed a parser to detect disallowed PHP functions, but since the evaled code can be very flexible (ie. "$a = 'un' . 'link'; $a('')"), it seems the solution must be implemented in the engine. In other words, there should be a secure sandbox eval() function, let's say "save_eval()". I guess this could be difficult to implement. Besides, the definition of "save" may be subjective. I would define "save" as, at least, to not allow someone to do I/O operations (ie. read/write files, access URL's, etc.) and not access the applications code space (ie. change $GLOBALS, $_SESSION, $_SERVER, etc). To day, to use eval() implies a security risk in almost any app. that uses this function. Besides, we are missing a BIG RED WARNING BOX in the documentation page to inform our PHP users. Therefore, it is a social bug. Related "Bug": http://bugs.php.net/bug.php?id=40722&edit=2 IMO, it's no serious answer, since OS privileges cannot avoid reading passwords in PHP scripts or inyecting: $_SESSION['isAdmin'] = 'ok...let_me_hack_your_php_app') Reproduce code: --- eval() or save_eval() Expected result: ERROR: Evaled code cannot execute function '' Actual result: -- Irrelevant. -- Edit bug report at http://bugs.php.net/?id=42116&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=42116&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=42116&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=42116&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=42116&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=42116&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=42116&r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=42116&r=needscript Try newer version:http://bugs.php.net/fix.php?id=42116&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=42116&r=support Expected behavior:http://bugs.php.net/fix.php?id=42116&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=42116&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=42116&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=42116&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42116&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=42116&r=dst IIS Stability:http://bugs.php.net/fix.php?id=42116&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=42116&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=42116&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=42116&r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=42116&r=mysqlcfg