You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

68 lines
2.1 KiB

From c527549e899bf211aac7d8ab5ceb1bdfedf07f14 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 12 Jan 2016 14:57:22 +0100
Subject: [PATCH] Fixed bug #71039 exec functions ignore length but look for
NULL termination
[roberto@debian.org: backported to 5.4.45]
Bug: https://bugs.php.net/bug.php?id=71039
Origin: backport, https://git.php.net/?p=php-src.git;a=commitdiff;h=c527549e899bf211aac7d8ab5ceb1bdfedf07f14
---
ext/standard/exec.c | 8 ++++++++
.../tests/general_functions/escapeshellarg_bug71039.phpt | 10 ++++++++++
.../tests/general_functions/escapeshellcmd_bug71039.phpt | 10 ++++++++++
3 files changed, 28 insertions(+)
create mode 100644 ext/standard/tests/general_functions/escapeshellarg_bug71039.phpt
create mode 100644 ext/standard/tests/general_functions/escapeshellcmd_bug71039.phpt
--- /dev/null
+++ php5.git/ext/standard/tests/general_functions/escapeshellarg_bug71039.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Test escapeshellarg() string with \0 bytes
+--FILE--
+<?php
+escapeshellarg("hello\0world");
+
+?>
+===DONE===
+--EXPECTF--
+Fatal error: escapeshellarg(): Input string contains NULL bytes in %s on line %d
--- /dev/null
+++ php5.git/ext/standard/tests/general_functions/escapeshellcmd_bug71039.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Test escapeshellcmd() string with \0 bytes
+--FILE--
+<?php
+escapeshellcmd("hello\0world");
+
+?>
+===DONE===
+--EXPECTF--
+Fatal error: escapeshellcmd(): Input string contains NULL bytes in %s on line %d
--- php5.git.orig/ext/standard/exec.c
+++ php5.git/ext/standard/exec.c
@@ -418,6 +418,10 @@
}
if (command_len) {
+ if (command_len != strlen(command)) {
+ php_error_docref(NULL, E_ERROR, "Input string contains NULL bytes");
+ return;
+ }
cmd = php_escape_shell_cmd(command);
RETVAL_STRING(cmd, 0);
} else {
@@ -439,6 +443,10 @@
}
if (argument) {
+ if (argument_len != strlen(argument)) {
+ php_error_docref(NULL, E_ERROR, "Input string contains NULL bytes");
+ return;
+ }
cmd = php_escape_shell_arg(argument);
RETVAL_STRING(cmd, 0);
}