ID: 13843
Comment by: [EMAIL PROTECTED]
Old Reported By: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: Program Execution
Operating System: Unix
PHP Version: 4.0.6
New Comment:
I understand that pipes and redirections could break the point of using
safe_mode but, what I can't understand, is how a space in an argument
can make the system vulnerable...
Previous Comments:
------------------------------------------------------------------------
[2001-10-29 16:27:41] [EMAIL PROTECTED]
Rats! I meant to say "to standard out" in the last sentence.
------------------------------------------------------------------------
[2001-10-29 16:23:58] [EMAIL PROTECTED]
Rasmus, what you are saying about shell redirection being a threat
under safe mode makes sesnse. But how about being able to pass
parameters with spaces in them? I cannot see any security implication
in that...
In any case, I want to be able to read standard error from the command
I'm executing...
How about providing a PHP variant of C's execv() in PHP, so that I
could pass it an array of parameters? And, perhaps, add a flag to
existing program execution functions to duplicate standard error to
standard in.
------------------------------------------------------------------------
[2001-10-29 16:14:34] [EMAIL PROTECTED]
I forgot to add that it appears that this bug is not Solaris-specific,
but, rather, safe mode specific.
------------------------------------------------------------------------
[2001-10-29 16:14:31] [EMAIL PROTECTED]
Well, not being able to use shell redirection and command line args in
safe-mode makes a lot of sense. You could trivially circumvent the
safe-mode restrictions if you were allowed to do this. Basically
safe-mode only allows system calls to very limited things. Basically
prepared scripts placed in the safe-mode-exec-dir. I don't see how we
could allow arguments and redirects and still maintain the point behind
safe-mode.
------------------------------------------------------------------------
[2001-10-29 16:09:44] [EMAIL PROTECTED]
I've looked into this further, and here's the scoop. Under safe mode,
php uses php_escape_shell_cmd() function to escape any command passed
to program execution functions. As a result, if I pass a command like
this:
/www/bin/foo "bar c" 2>&1
it will turn it into
/www/bin/foo \"bar c\" 2\>\&1
I, as a PHP developer, have no control over this under safe mode.
Among other things, this means that I cannot pass my program an
argument, containing spaces, nor can I use shell redirection
machinery.
I propose a patch like below to inhibit this automatic escaping.
diff -rc php-4.0.6-orig/ext/standard/exec.c
php-4.0.6/ext/standard/exec.c
*** php-4.0.6-orig/ext/standard/exec.c Mon Apr 30 08:43:39 2001
--- php-4.0.6/ext/standard/exec.c Mon Oct 29 15:31:06 2001
***************
*** 92,100 ****
*c = ' ';
strncat(d, c, overflow_limit);
}
- tmp = php_escape_shell_cmd(d);
- efree(d);
- d = tmp;
#if PHP_SIGCHILD
sig_handler = signal (SIGCHLD, SIG_DFL);
#endif
--- 92,97 ----
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/?id=13843
Edit this bug report at http://bugs.php.net/?id=13843&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
