hirokawa                                 Fri, 11 Nov 2011 14:52:56 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=319057

Log:
revert changes to fix bug #60116.

Bug: https://bugs.php.net/60116 (Assigned) escapeshellcmd() cannot escape the 
chars which causes shell injection.
      
Changed paths:
    U   php/php-src/branches/PHP_5_4/NEWS
    U   php/php-src/branches/PHP_5_4/ext/standard/basic_functions.c
    U   php/php-src/branches/PHP_5_4/ext/standard/exec.c
    U   php/php-src/branches/PHP_5_4/ext/standard/exec.h
    D   
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt

Modified: php/php-src/branches/PHP_5_4/NEWS
===================================================================
--- php/php-src/branches/PHP_5_4/NEWS   2011-11-11 14:44:06 UTC (rev 319056)
+++ php/php-src/branches/PHP_5_4/NEWS   2011-11-11 14:52:56 UTC (rev 319057)
@@ -3,8 +3,6 @@
 ?? ??? 2011, PHP 5.4.0 RC2

 - Core:
-  . Fixed bug #60116 (escapeshellcmd() cannot escape the characters
-     which cause shell command injection). (rui)
   . Fixed bug #60227 (header() cannot detect the multi-line header with
      CR(0x0D)). (rui)


Modified: php/php-src/branches/PHP_5_4/ext/standard/basic_functions.c
===================================================================
--- php/php-src/branches/PHP_5_4/ext/standard/basic_functions.c 2011-11-11 
14:44:06 UTC (rev 319056)
+++ php/php-src/branches/PHP_5_4/ext/standard/basic_functions.c 2011-11-11 
14:52:56 UTC (rev 319057)
@@ -3583,7 +3583,6 @@
 #endif

        register_phpinfo_constants(INIT_FUNC_ARGS_PASSTHRU);
-       register_exec_constants(INIT_FUNC_ARGS_PASSTHRU);
        register_html_constants(INIT_FUNC_ARGS_PASSTHRU);
        register_string_constants(INIT_FUNC_ARGS_PASSTHRU);


Modified: php/php-src/branches/PHP_5_4/ext/standard/exec.c
===================================================================
--- php/php-src/branches/PHP_5_4/ext/standard/exec.c    2011-11-11 14:44:06 UTC 
(rev 319056)
+++ php/php-src/branches/PHP_5_4/ext/standard/exec.c    2011-11-11 14:52:56 UTC 
(rev 319057)
@@ -50,16 +50,6 @@
 #include <unistd.h>
 #endif

-/* {{{ register_exec_constants
- *  */
-void register_exec_constants(INIT_FUNC_ARGS)
-{
-    REGISTER_LONG_CONSTANT("ESCAPE_CMD_PAIR", ESCAPE_CMD_PAIR, 
CONST_PERSISTENT|CONST_CS);
-    REGISTER_LONG_CONSTANT("ESCAPE_CMD_END", ESCAPE_CMD_END, 
CONST_PERSISTENT|CONST_CS);
-    REGISTER_LONG_CONSTANT("ESCAPE_CMD_ALL", ESCAPE_CMD_ALL, 
CONST_PERSISTENT|CONST_CS);
-}
-/* }}} */
-
 /* {{{ php_exec
  * If type==0, only last line of output is returned (exec)
  * If type==1, all lines will be printed and last lined returned (system)
@@ -248,7 +238,7 @@

    *NOT* safe for binary strings
 */
-PHPAPI char *php_escape_shell_cmd_ex(char *str, int flag)
+PHPAPI char *php_escape_shell_cmd(char *str)
 {
        register int x, y, l = strlen(str);
        char *cmd;
@@ -276,25 +266,13 @@
 #ifndef PHP_WIN32
                        case '"':
                        case '\'':
-                               if (flag == ESCAPE_CMD_ALL) {
+                               if (!p && (p = memchr(str + x + 1, str[x], l - 
x - 1))) {
+                                       /* noop */
+                               } else if (p && *p == str[x]) {
+                                       p = NULL;
+                               } else {
                                        cmd[y++] = '\\';
                                        cmd[y++] = str[x];
-                               } else if (flag == ESCAPE_CMD_END) {
-                                       if ((x == 0 || x == l - 1) && (str[0] 
== str[l-1])) {
-                                               cmd[y++] = str[x];
-                    } else {
-                        cmd[y++] = '\\';
-                        cmd[y++] = str[x];
-                    }
-                               } else { /* ESCAPE_CMD_PAIR */
-                                       if (!p && (p = memchr(str + x + 1, 
str[x], l - x - 1))) {
-                                               /* noop */
-                                       } else if (p && *p == str[x]) {
-                                               p = NULL;
-                                       } else {
-                                               cmd[y++] = '\\';
-                                       }
-                                       cmd[y++] = str[x];
                                }
                                break;
 #else
@@ -349,14 +327,6 @@
 }
 /* }}} */

-/* {{{ php_escape_shell_cmd
- */
-PHPAPI char *php_escape_shell_cmd(char *str)
-{
-    return php_escape_shell_cmd_ex(str, ESCAPE_CMD_PAIR);
-}
-/* }}} */
-
 /* {{{ php_escape_shell_arg
  */
 PHPAPI char *php_escape_shell_arg(char *str)
@@ -427,15 +397,14 @@
 {
        char *command;
        int command_len;
-       long flag = ESCAPE_CMD_PAIR;
        char *cmd = NULL;

-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &command, 
&command_len, &flag) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &command, 
&command_len) == FAILURE) {
                return;
        }

        if (command_len) {
-               cmd = php_escape_shell_cmd_ex(command, flag);
+               cmd = php_escape_shell_cmd(command);
                RETVAL_STRING(cmd, 0);
        } else {
                RETVAL_EMPTY_STRING();

Modified: php/php-src/branches/PHP_5_4/ext/standard/exec.h
===================================================================
--- php/php-src/branches/PHP_5_4/ext/standard/exec.h    2011-11-11 14:44:06 UTC 
(rev 319056)
+++ php/php-src/branches/PHP_5_4/ext/standard/exec.h    2011-11-11 14:52:56 UTC 
(rev 319057)
@@ -21,10 +21,6 @@
 #ifndef EXEC_H
 #define EXEC_H

-#define ESCAPE_CMD_PAIR  0
-#define ESCAPE_CMD_END   1
-#define ESCAPE_CMD_ALL   2
-
 PHP_FUNCTION(system);
 PHP_FUNCTION(exec);
 PHP_FUNCTION(escapeshellcmd);

Deleted: 
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt
===================================================================
--- 
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt 
    2011-11-11 14:44:06 UTC (rev 319056)
+++ 
php/php-src/branches/PHP_5_4/ext/standard/tests/general_functions/bug60116.phpt 
    2011-11-11 14:52:56 UTC (rev 319057)
@@ -1,160 +0,0 @@
---TEST--
-Test escapeshellcmd() to escape the quotation
---SKIPIF--
-<?php
-if( substr(PHP_OS, 0, 3) == 'WIN' ) {
-   die('skip...Invalid for Windows');
-}
-?>
---FILE--
-<?php
-echo "*** Testing escapeshellcmd() escape the quotation ***\n";
-$data = array(
-       '"abc',
-       "'abc",
-       '?<>',
-       '()[]{}$',
-       '%^',
-       '#&;`|*?',
-       '~<>\\',
-       '%NOENV%',
-       "abc' 'def",
-       'abc" "def',
-       "'abc def'",
-       '"abc def"',
-);
-
-echo "case: default\n";
-
-$count = 1;
-foreach ($data AS $value) {
-       echo "-- Test " . $count++ . " --\n";
-       var_dump(escapeshellcmd($value));
-}
-
-echo "case: ESCAPE_CMD_PAIR\n";
-$count = 1;
-foreach ($data AS $value) {
-       echo "-- Test " . $count++ . " --\n";
-       var_dump(escapeshellcmd($value, ESCAPE_CMD_PAIR));
-}
-
-echo "case: ESCAPE_CMD_END\n";
-$count = 1;
-foreach ($data AS $value) {
-       echo "-- Test " . $count++ . " --\n";
-       var_dump(escapeshellcmd($value, ESCAPE_CMD_END));
-}
-
-echo "case: ESCAPE_CMD_ALL\n";
-$count = 1;
-foreach ($data AS $value) {
-       echo "-- Test " . $count++ . " --\n";
-       var_dump(escapeshellcmd($value, ESCAPE_CMD_ALL));
-}
-
-echo "Done\n";
-?>
---EXPECTF--
-*** Testing escapeshellcmd() escape the quotation ***
-case: default
--- Test 1 --
-string(5) "\"abc"
--- Test 2 --
-string(5) "\'abc"
--- Test 3 --
-string(6) "\?\<\>"
--- Test 4 --
-string(14) "\(\)\[\]\{\}\$"
--- Test 5 --
-string(3) "%\^"
--- Test 6 --
-string(14) "\#\&\;\`\|\*\?"
--- Test 7 --
-string(8) "\~\<\>\\"
--- Test 8 --
-string(7) "%NOENV%"
--- Test 9 --
-string(9) "abc' 'def"
--- Test 10 --
-string(9) "abc" "def"
--- Test 11 --
-string(9) "'abc def'"
--- Test 12 --
-string(9) ""abc def""
-case: ESCAPE_CMD_PAIR
--- Test 1 --
-string(5) "\"abc"
--- Test 2 --
-string(5) "\'abc"
--- Test 3 --
-string(6) "\?\<\>"
--- Test 4 --
-string(14) "\(\)\[\]\{\}\$"
--- Test 5 --
-string(3) "%\^"
--- Test 6 --
-string(14) "\#\&\;\`\|\*\?"
--- Test 7 --
-string(8) "\~\<\>\\"
--- Test 8 --
-string(7) "%NOENV%"
--- Test 9 --
-string(9) "abc' 'def"
--- Test 10 --
-string(9) "abc" "def"
--- Test 11 --
-string(9) "'abc def'"
--- Test 12 --
-string(9) ""abc def""
-case: ESCAPE_CMD_END
--- Test 1 --
-string(5) "\"abc"
--- Test 2 --
-string(5) "\'abc"
--- Test 3 --
-string(6) "\?\<\>"
--- Test 4 --
-string(14) "\(\)\[\]\{\}\$"
--- Test 5 --
-string(3) "%\^"
--- Test 6 --
-string(14) "\#\&\;\`\|\*\?"
--- Test 7 --
-string(8) "\~\<\>\\"
--- Test 8 --
-string(7) "%NOENV%"
--- Test 9 --
-string(11) "abc\' \'def"
--- Test 10 --
-string(11) "abc\" \"def"
--- Test 11 --
-string(9) "'abc def'"
--- Test 12 --
-string(9) ""abc def""
-case: ESCAPE_CMD_ALL
--- Test 1 --
-string(5) "\"abc"
--- Test 2 --
-string(5) "\'abc"
--- Test 3 --
-string(6) "\?\<\>"
--- Test 4 --
-string(14) "\(\)\[\]\{\}\$"
--- Test 5 --
-string(3) "%\^"
--- Test 6 --
-string(14) "\#\&\;\`\|\*\?"
--- Test 7 --
-string(8) "\~\<\>\\"
--- Test 8 --
-string(7) "%NOENV%"
--- Test 9 --
-string(11) "abc\' \'def"
--- Test 10 --
-string(11) "abc\" \"def"
--- Test 11 --
-string(11) "\'abc def\'"
--- Test 12 --
-string(11) "\"abc def\""
-Done

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to