#48729 [Com]: proc_open doesn't read from stdin
ID: 48729
Comment by: kripper3 at hotmail dot com
Reported By: kripper at imatronix dot cl
Status: Feedback
Bug Type: Streams related
Operating System: Windows XP SP3
PHP Version: 5.2.10
Assigned To: pajoye
New Comment:
It works on 5.3 (CVS), only with php.exe.
Thanks.
Previous Comments:
[2009-07-03 16:22:21] paj...@php.net
Please try using CLI, not cgi.
[2009-07-03 16:19:46] kripper3 at hotmail dot com
Tested on PHP 5.3 (5.3.1-dev) (CVS), released 2009-Jul-03 17:00:00.
proc_open() is still not able to read from stdin on windows, when
running PHP from a DOS shell.
[2009-06-30 07:52:33] paj...@php.net
Please try using this CVS snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
[2009-06-30 05:16:57] kripper3 at hotmail dot com
HINT for reproducing:
1) Download plink.exe
(http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe) to C:\ for
testing a command which expects stdin.
2) Copy this script to C:\test.php
---
fopen('php://stdin', 'r'),
1 => fopen('php://stdout', 'w'),
2 => array("file", "C:\\error-output.txt", "a")
);
$cmd = "C:\\plink.exe r...@hostifex.com";
$process = proc_open($cmd, $espec_descriptor, $pipes);
if (is_resource($process)) {
echo "The command was supposed to prompt the password (it works on
5.1.2)\n";
proc_close($process);
} else {
echo "Trivial Error. Please check your setup for reproducing the
problem.\n";
}
?>
---
3) Execute in DOS Shell:
C:\PHP\php-cgi.exe C:\test.php
4) A prompt reading from stdin is expected (but fails con 5.2.x).
It works with: http://museum.php.net/php5/php-5.1.2-Win32.zip
5) Check the C:\error-output.txt if you get other results.
6) (Cleaning) Delete C:\Test.php and C:\error-output.txt.
Thanks.
[2009-06-30 03:35:07] kripper at imatronix dot cl
Description:
proc_open() doesn't read from stdin, when running PHP from console.
Reproduce code works on PHP 5.1.2.
popen works, but seems not to be suited for running interactive shell
commands from PHP.
Console scripts trying to run interactive commands will fail.
Reproduce code:
---
$espec_descriptor = array(
0 => fopen('php://stdin', 'r'),
1 => fopen('php://stdout', 'w'),
2 => array("file", "C:\\error-output.txt", "a")
);
$cmd = "";
$process = proc_open($cmd, $espec_descriptor, $pipes);
if (is_resource($process)) {
set_time_limit(0);
return proc_close($process);
} else {
return -1;
}
Expected result:
proc_open() should run the command and allow it to read from stdin.
Actual result:
--
Commands fail to read from stdin and close inmediatly.
--
Edit this bug report at http://bugs.php.net/?id=48729&edit=1
#48729 [Com]: proc_open doesn't read from stdin
ID: 48729
Comment by: kripper3 at hotmail dot com
Reported By: kripper at imatronix dot cl
Status: Feedback
Bug Type: Streams related
Operating System: Windows XP SP3
PHP Version: 5.2.10
Assigned To: pajoye
New Comment:
Tested on PHP 5.3 (5.3.1-dev) (CVS), released 2009-Jul-03 17:00:00.
proc_open() is still not able to read from stdin on windows, when
running PHP from a DOS shell.
Previous Comments:
[2009-06-30 07:52:33] paj...@php.net
Please try using this CVS snapshot:
http://snaps.php.net/php5.3-latest.tar.gz
For Windows:
http://windows.php.net/snapshots/
[2009-06-30 05:16:57] kripper3 at hotmail dot com
HINT for reproducing:
1) Download plink.exe
(http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe) to C:\ for
testing a command which expects stdin.
2) Copy this script to C:\test.php
---
fopen('php://stdin', 'r'),
1 => fopen('php://stdout', 'w'),
2 => array("file", "C:\\error-output.txt", "a")
);
$cmd = "C:\\plink.exe r...@hostifex.com";
$process = proc_open($cmd, $espec_descriptor, $pipes);
if (is_resource($process)) {
echo "The command was supposed to prompt the password (it works on
5.1.2)\n";
proc_close($process);
} else {
echo "Trivial Error. Please check your setup for reproducing the
problem.\n";
}
?>
---
3) Execute in DOS Shell:
C:\PHP\php-cgi.exe C:\test.php
4) A prompt reading from stdin is expected (but fails con 5.2.x).
It works with: http://museum.php.net/php5/php-5.1.2-Win32.zip
5) Check the C:\error-output.txt if you get other results.
6) (Cleaning) Delete C:\Test.php and C:\error-output.txt.
Thanks.
[2009-06-30 03:35:07] kripper at imatronix dot cl
Description:
proc_open() doesn't read from stdin, when running PHP from console.
Reproduce code works on PHP 5.1.2.
popen works, but seems not to be suited for running interactive shell
commands from PHP.
Console scripts trying to run interactive commands will fail.
Reproduce code:
---
$espec_descriptor = array(
0 => fopen('php://stdin', 'r'),
1 => fopen('php://stdout', 'w'),
2 => array("file", "C:\\error-output.txt", "a")
);
$cmd = "";
$process = proc_open($cmd, $espec_descriptor, $pipes);
if (is_resource($process)) {
set_time_limit(0);
return proc_close($process);
} else {
return -1;
}
Expected result:
proc_open() should run the command and allow it to read from stdin.
Actual result:
--
Commands fail to read from stdin and close inmediatly.
--
Edit this bug report at http://bugs.php.net/?id=48729&edit=1
#48729 [Com]: proc_open doesn't read from stdin
ID: 48729
Comment by: kripper3 at hotmail dot com
Reported By: kripper at imatronix dot cl
Status: Open
Bug Type: Streams related
Operating System: Windows XP SP3
PHP Version: 5.2.10
New Comment:
HINT for reproducing:
1) Download plink.exe
(http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe) to C:\ for
testing a command which expects stdin.
2) Copy this script to C:\test.php
---
fopen('php://stdin', 'r'),
1 => fopen('php://stdout', 'w'),
2 => array("file", "C:\\error-output.txt", "a")
);
$cmd = "C:\\plink.exe r...@hostifex.com";
$process = proc_open($cmd, $espec_descriptor, $pipes);
if (is_resource($process)) {
echo "The command was supposed to prompt the password (it works on
5.1.2)\n";
proc_close($process);
} else {
echo "Trivial Error. Please check your setup for reproducing the
problem.\n";
}
?>
---
3) Execute in DOS Shell:
C:\PHP\php-cgi.exe C:\test.php
4) A prompt reading from stdin is expected (but fails con 5.2.x).
It works with: http://museum.php.net/php5/php-5.1.2-Win32.zip
5) Check the C:\error-output.txt if you get other results.
6) (Cleaning) Delete C:\Test.php and C:\error-output.txt.
Thanks.
Previous Comments:
[2009-06-30 03:35:07] kripper at imatronix dot cl
Description:
proc_open() doesn't read from stdin, when running PHP from console.
Reproduce code works on PHP 5.1.2.
popen works, but seems not to be suited for running interactive shell
commands from PHP.
Console scripts trying to run interactive commands will fail.
Reproduce code:
---
$espec_descriptor = array(
0 => fopen('php://stdin', 'r'),
1 => fopen('php://stdout', 'w'),
2 => array("file", "C:\\error-output.txt", "a")
);
$cmd = "";
$process = proc_open($cmd, $espec_descriptor, $pipes);
if (is_resource($process)) {
set_time_limit(0);
return proc_close($process);
} else {
return -1;
}
Expected result:
proc_open() should run the command and allow it to read from stdin.
Actual result:
--
Commands fail to read from stdin and close inmediatly.
--
Edit this bug report at http://bugs.php.net/?id=48729&edit=1
#42116 [NEW]: Safe eval()
From: kripper3 at hotmail dot com
Operating system: Irrelevant
PHP version: 5.2.3
PHP Bug Type: Feature/Change Request
Bug description: Safe eval()
Description:
eval($code) makes it possible to execute PHP code.
It becames usefull when $code is provided dynamically (by the user of the
application).
For example, in order to compute a math expression provided by the user
via a Web Interface.
A lot of applications are using eval() this way.
The problem is that eval() is not safe, and makes it possible to inject
code.
For example, instead of providing a math expression, I could provide code
for listing files, get the content of the scripts and obtain hardcoded
passwords.
On http://www.php.net/manual/en/function.eval.php#75389 someone proposed a
parser to detect disallowed PHP functions, but since the evaled code can be
very flexible (ie. "$a = 'un' . 'link'; $a('')"), it seems the
solution must be implemented in the engine.
In other words, there should be a secure sandbox eval() function, let's
say "save_eval()".
I guess this could be difficult to implement.
Besides, the definition of "save" may be subjective.
I would define "save" as, at least, to not allow someone to do I/O
operations (ie. read/write files, access URL's, etc.) and not access the
applications code space (ie. change $GLOBALS, $_SESSION, $_SERVER, etc).
To day, to use eval() implies a security risk in almost any app. that uses
this function. Besides, we are missing a BIG RED WARNING BOX in the
documentation page to inform our PHP users. Therefore, it is a social bug.
Related "Bug":
http://bugs.php.net/bug.php?id=40722&edit=2
IMO, it's no serious answer, since OS privileges cannot avoid reading
passwords in PHP scripts or inyecting:
$_SESSION['isAdmin'] = 'ok...let_me_hack_your_php_app')
Reproduce code:
---
eval()
or
save_eval()
Expected result:
ERROR: Evaled code cannot execute function ''
Actual result:
--
Irrelevant.
--
Edit bug report at http://bugs.php.net/?id=42116&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42116&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42116&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42116&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42116&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42116&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42116&r=needtrace
Need Reproduce Script:http://bugs.php.net/fix.php?id=42116&r=needscript
Try newer version:http://bugs.php.net/fix.php?id=42116&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42116&r=support
Expected behavior:http://bugs.php.net/fix.php?id=42116&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42116&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42116&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42116&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42116&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42116&r=dst
IIS Stability:http://bugs.php.net/fix.php?id=42116&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42116&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42116&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42116&r=nozend
MySQL Configuration Error:http://bugs.php.net/fix.php?id=42116&r=mysqlcfg
