hirokawa                                 Thu, 10 Nov 2011 14:19:06 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=318996

Log:
MFH: fixed bug #60116 (escapeshellcmd() cannot escape the characters which 
cause shell command injection).

Bug: https://bugs.php.net/60116 (error getting bug information)
      
Changed paths:
    U   php/php-src/branches/PHP_5_4/NEWS
    U   php/php-src/branches/PHP_5_4/ext/standard/exec.c
    A   
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt

Modified: php/php-src/branches/PHP_5_4/NEWS
===================================================================
--- php/php-src/branches/PHP_5_4/NEWS   2011-11-10 14:12:48 UTC (rev 318995)
+++ php/php-src/branches/PHP_5_4/NEWS   2011-11-10 14:19:06 UTC (rev 318996)
@@ -24,8 +24,10 @@
   . Fixed bug #60169 (Conjunction of ternary and list crashes PHP).
     (Laruence)
   . Fixed bug #55475 (is_a() triggers autoloader, new optional 3rd argument to
-    is_a and is_subclass_of). (alan_k)
-
+    is_a and is_subclass_of). (alan_k)
+  . Fixed bug #60116 (escapeshellcmd() cannot escape the characters
+     which cause shell command injection). (rui)
+
 - Oracle Database extension (OCI8):
   . Increased maxium Oracle error message buffer length for new 11.2.0.3 size
     (Chris Jones)

Modified: php/php-src/branches/PHP_5_4/ext/standard/exec.c
===================================================================
--- php/php-src/branches/PHP_5_4/ext/standard/exec.c    2011-11-10 14:12:48 UTC 
(rev 318995)
+++ php/php-src/branches/PHP_5_4/ext/standard/exec.c    2011-11-10 14:19:06 UTC 
(rev 318996)
@@ -50,6 +50,16 @@
 #include <unistd.h>
 #endif

+/* {{{ register_exec_constants
+ *  */
+void register_exec_constants(INIT_FUNC_ARGS)
+{
+    REGISTER_LONG_CONSTANT("ESCAPE_CMD_PAIR", ESCAPE_CMD_PAIR, 
CONST_PERSISTENT|CONST_CS);
+    REGISTER_LONG_CONSTANT("ESCAPE_CMD_END", ESCAPE_CMD_END, 
CONST_PERSISTENT|CONST_CS);
+    REGISTER_LONG_CONSTANT("ESCAPE_CMD_ALL", ESCAPE_CMD_ALL, 
CONST_PERSISTENT|CONST_CS);
+}
+/* }}} */
+
 /* {{{ php_exec
  * If type==0, only last line of output is returned (exec)
  * If type==1, all lines will be printed and last lined returned (system)
@@ -238,7 +248,7 @@

    *NOT* safe for binary strings
 */
-PHPAPI char *php_escape_shell_cmd(char *str)
+PHPAPI char *php_escape_shell_cmd_ex(char *str, int flag)
 {
        register int x, y, l = strlen(str);
        char *cmd;
@@ -266,14 +276,26 @@
 #ifndef PHP_WIN32
                        case '"':
                        case '\'':
-                               if (!p && (p = memchr(str + x + 1, str[x], l - 
x - 1))) {
-                                       /* noop */
-                               } else if (p && *p == str[x]) {
-                                       p = NULL;
-                               } else {
+                               if (flag == ESCAPE_CMD_ALL) {
                                        cmd[y++] = '\\';
+                                       cmd[y++] = str[x];
+                               } else if (flag == ESCAPE_CMD_END) {
+                                       if ((x == 0 || x == l - 1) && (str[0] 
== str[l-1])) {
+                                               cmd[y++] = str[x];
+                    } else {
+                        cmd[y++] = '\\';
+                        cmd[y++] = str[x];
+                    }
+                               } else { /* ESCAPE_CMD_PAIR */
+                                       if (!p && (p = memchr(str + x + 1, 
str[x], l - x - 1))) {
+                                               /* noop */
+                                       } else if (p && *p == str[x]) {
+                                               p = NULL;
+                                       } else {
+                                               cmd[y++] = '\\';
+                                       }
+                                       cmd[y++] = str[x];
                                }
-                               cmd[y++] = str[x];
                                break;
 #else
                        /* % is Windows specific for enviromental variables, 
^%PATH% will
@@ -327,6 +349,14 @@
 }
 /* }}} */

+/* {{{ php_escape_shell_cmd
+ */
+PHPAPI char *php_escape_shell_cmd(char *str)
+{
+    return php_escape_shell_cmd_ex(str, ESCAPE_CMD_PAIR);
+}
+/* }}} */
+
 /* {{{ php_escape_shell_arg
  */
 PHPAPI char *php_escape_shell_arg(char *str)
@@ -397,14 +427,15 @@
 {
        char *command;
        int command_len;
+       long flag = ESCAPE_CMD_PAIR;
        char *cmd = NULL;

-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &command, 
&command_len) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &command, 
&command_len, &flag) == FAILURE) {
                return;
        }

        if (command_len) {
-               cmd = php_escape_shell_cmd(command);
+               cmd = php_escape_shell_cmd_ex(command, flag);
                RETVAL_STRING(cmd, 0);
        } else {
                RETVAL_EMPTY_STRING();

Added: 
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt
===================================================================
--- 
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt 
                            (rev 0)
+++ 
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt 
    2011-11-10 14:19:06 UTC (rev 318996)
@@ -0,0 +1,160 @@
+--TEST--
+Test escapeshellcmd() to escape the quotation
+--SKIPIF--
+<?php
+if( substr(PHP_OS, 0, 3) == 'WIN' ) {
+   die('skip...Invalid for Windows');
+}
+?>
+--FILE--
+<?php
+echo "*** Testing escapeshellcmd() escape the quotation ***\n";
+$data = array(
+       '"abc',
+       "'abc",
+       '?<>',
+       '()[]{}$',
+       '%^',
+       '#&;`|*?',
+       '~<>\\',
+       '%NOENV%',
+       "abc' 'def",
+       'abc" "def',
+       "'abc def'",
+       '"abc def"',
+);
+
+echo "case: default\n";
+
+$count = 1;
+foreach ($data AS $value) {
+       echo "-- Test " . $count++ . " --\n";
+       var_dump(escapeshellcmd($value));
+}
+
+echo "case: ESCAPE_CMD_PAIR\n";
+$count = 1;
+foreach ($data AS $value) {
+       echo "-- Test " . $count++ . " --\n";
+       var_dump(escapeshellcmd($value, ESCAPE_CMD_PAIR));
+}
+
+echo "case: ESCAPE_CMD_END\n";
+$count = 1;
+foreach ($data AS $value) {
+       echo "-- Test " . $count++ . " --\n";
+       var_dump(escapeshellcmd($value, ESCAPE_CMD_END));
+}
+
+echo "case: ESCAPE_CMD_ALL\n";
+$count = 1;
+foreach ($data AS $value) {
+       echo "-- Test " . $count++ . " --\n";
+       var_dump(escapeshellcmd($value, ESCAPE_CMD_ALL));
+}
+
+echo "Done\n";
+?>
+--EXPECTF--
+*** Testing escapeshellcmd() escape the quotation ***
+case: default
+-- Test 1 --
+string(5) "\"abc"
+-- Test 2 --
+string(5) "\'abc"
+-- Test 3 --
+string(6) "\?\<\>"
+-- Test 4 --
+string(14) "\(\)\[\]\{\}\$"
+-- Test 5 --
+string(3) "%\^"
+-- Test 6 --
+string(14) "\#\&\;\`\|\*\?"
+-- Test 7 --
+string(8) "\~\<\>\\"
+-- Test 8 --
+string(7) "%NOENV%"
+-- Test 9 --
+string(9) "abc' 'def"
+-- Test 10 --
+string(9) "abc" "def"
+-- Test 11 --
+string(9) "'abc def'"
+-- Test 12 --
+string(9) ""abc def""
+case: ESCAPE_CMD_PAIR
+-- Test 1 --
+string(5) "\"abc"
+-- Test 2 --
+string(5) "\'abc"
+-- Test 3 --
+string(6) "\?\<\>"
+-- Test 4 --
+string(14) "\(\)\[\]\{\}\$"
+-- Test 5 --
+string(3) "%\^"
+-- Test 6 --
+string(14) "\#\&\;\`\|\*\?"
+-- Test 7 --
+string(8) "\~\<\>\\"
+-- Test 8 --
+string(7) "%NOENV%"
+-- Test 9 --
+string(9) "abc' 'def"
+-- Test 10 --
+string(9) "abc" "def"
+-- Test 11 --
+string(9) "'abc def'"
+-- Test 12 --
+string(9) ""abc def""
+case: ESCAPE_CMD_END
+-- Test 1 --
+string(5) "\"abc"
+-- Test 2 --
+string(5) "\'abc"
+-- Test 3 --
+string(6) "\?\<\>"
+-- Test 4 --
+string(14) "\(\)\[\]\{\}\$"
+-- Test 5 --
+string(3) "%\^"
+-- Test 6 --
+string(14) "\#\&\;\`\|\*\?"
+-- Test 7 --
+string(8) "\~\<\>\\"
+-- Test 8 --
+string(7) "%NOENV%"
+-- Test 9 --
+string(11) "abc\' \'def"
+-- Test 10 --
+string(11) "abc\" \"def"
+-- Test 11 --
+string(9) "'abc def'"
+-- Test 12 --
+string(9) ""abc def""
+case: ESCAPE_CMD_ALL
+-- Test 1 --
+string(5) "\"abc"
+-- Test 2 --
+string(5) "\'abc"
+-- Test 3 --
+string(6) "\?\<\>"
+-- Test 4 --
+string(14) "\(\)\[\]\{\}\$"
+-- Test 5 --
+string(3) "%\^"
+-- Test 6 --
+string(14) "\#\&\;\`\|\*\?"
+-- Test 7 --
+string(8) "\~\<\>\\"
+-- Test 8 --
+string(7) "%NOENV%"
+-- Test 9 --
+string(11) "abc\' \'def"
+-- Test 10 --
+string(11) "abc\" \"def"
+-- Test 11 --
+string(11) "\'abc def\'"
+-- Test 12 --
+string(11) "\"abc def\""
+Done


Property changes on: 
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt
___________________________________________________________________
Added: svn:keywords
   + Id Rev Revision
Added: svn:eol-style
   + native

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to