From: soner at comixwall dot org
Operating system: OpenBSD, Linux, Windows
PHP version: 5.2.11
PHP Bug Type: Program Execution
Bug description: exec() confused by a specially crafted string
Description:
------------
When shell command returns a specially crafted string, I get an empty
array as $output of exec(), instead of the string. I can very easily
reproduce this issue, please see below for test code.
Reproduce code:
---------------
Put the following lines in bug.php:
<?php
exec('php echostr.php', $output);
print_r($output);
?>
Then put the contents at the following link in echostr.php:
http://comixwall.org/dmdocuments/echostr
Expected result:
----------------
When you execute bug.php, you will get an empty array printed out:
Array
(
)
Actual result:
--------------
Actually, $output should have contained the string above as element 0 of
the array.
If you delete or add a character in the string, exec() runs correctly and
you get the intended result. So the issue is specific to this special
string.
The problem is not with the size of the string, because much longer
strings are fine.
Also this issue does *not* exists with passthru(), shell_exec() functions
and backtick operator. Furthermore, exec() return value, i.e. the last line
of shell command output seems fine too (it contains the string correctly).
So I believe the issue is internal to exec(), effecting $output contents
only.
As you can guess, this string is in fact serialized openvpn startup log
lines (I just escaped the single quotes for testing purposes, that's all),
it is not some manually crafted string. Therefore, it is possible that I
may get more than one similar situation in the future.
I have confirmed this issue on OpenBSD, Linux, and Windows. Here are the
versions:
OpenBSD:
PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar 1 2009 10:26:06)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
Linux:
PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21 2009
21:43:13)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
Windows:
PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
Since Windows version is without Suhosin patch, suhosin as culprit is
ruled out. (Also to test on Windows, I changed the exec shell command as
'php.exe echostr.php' of course.)
--
Edit bug report at http://bugs.php.net/?id=49847&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=49847&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=49847&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=49847&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=49847&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=49847&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=49847&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=49847&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=49847&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=49847&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=49847&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=49847&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=49847&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=49847&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=49847&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49847&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=49847&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=49847&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=49847&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=49847&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=49847&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=49847&r=mysqlcfg
