ID: 49847
Updated by: sjo...@php.net
Reported By: soner at comixwall dot org
Status: Analyzed
Bug Type: Program Execution
Operating System: OpenBSD, Linux, Windows
PHP Version: 5.2.11
New Comment:
Filed Bug #49851 "HTTP breaks on long header line", which has the same
cause.
Previous Comments:
------------------------------------------------------------------------
[2009-10-12 19:28:18] sjo...@php.net
>From exec.c:125:
while (php_stream_get_line(stream, ... b, EXEC_INPUT_BUF, &bufl)) {
/* no new line found, let's read some more */
if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) {
...
continue;
...
add_next_index_stringl(array, buf, bufl, 1);
php_stream_get_line reads all the data. No newline is found, because
there is none. The reading has not yet triggered php_stream_eof, because
reading has stopped just before the bytes ran out. Loop starts again.
php_stream_get_line now reads no bytes at all, because no bytes are
left. Loop quits without adding the string to the array.
------------------------------------------------------------------------
[2009-10-12 19:01:54] sjo...@php.net
The trick is that the string which is output is 4095 bytes long.
exec("printf %4095d 1", $output);
print_r($output);
------------------------------------------------------------------------
[2009-10-12 16:57:11] soner at comixwall dot org
Description:
------------
When shell command returns a specially crafted string, I get an empty
array as $output of exec(), instead of the string. I can very easily
reproduce this issue, please see below for test code.
Reproduce code:
---------------
Put the following lines in bug.php:
<?php
exec('php echostr.php', $output);
print_r($output);
?>
Then put the contents at the following link in echostr.php:
http://comixwall.org/dmdocuments/echostr
Expected result:
----------------
When you execute bug.php, you will get an empty array printed out:
Array
(
)
Actual result:
--------------
Actually, $output should have contained the string above as element 0
of the array.
If you delete or add a character in the string, exec() runs correctly
and you get the intended result. So the issue is specific to this
special string.
The problem is not with the size of the string, because much longer
strings are fine.
Also this issue does *not* exists with passthru(), shell_exec()
functions and backtick operator. Furthermore, exec() return value, i.e.
the last line of shell command output seems fine too (it contains the
string correctly). So I believe the issue is internal to exec(),
effecting $output contents only.
As you can guess, this string is in fact serialized openvpn startup log
lines (I just escaped the single quotes for testing purposes, that's
all), it is not some manually crafted string. Therefore, it is possible
that I may get more than one similar situation in the future.
I have confirmed this issue on OpenBSD, Linux, and Windows. Here are
the versions:
OpenBSD:
PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar 1 2009
10:26:06)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
Linux:
PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
2009 21:43:13)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
Windows:
PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
Since Windows version is without Suhosin patch, suhosin as culprit is
ruled out. (Also to test on Windows, I changed the exec shell command as
'php.exe echostr.php' of course.)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=49847&edit=1
