Add NULL byte protection to exec, system and passthru

Yasuo Ohgaki · Yasuo Ohgaki · commit a8722f533050 · 2015-02-14T05:25:04.000+09:00
diff --git a/ext/standard/exec.c b/ext/standard/exec.c
@@ -188,6 +188,10 @@ static void php_exec_ex(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute a blank command");
 		RETURN_FALSE;
 	}
+	if (strlen(cmd) != cmd_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "NULL byte detected. Possible attack");
+		RETURN_FALSE;
+	}
 
 	if (!ret_array) {
 		ret = php_exec(mode, cmd, NULL, return_value TSRMLS_CC);
diff --git a/ext/standard/tests/misc/exec_basic1.phpt b/ext/standard/tests/misc/exec_basic1.phpt
@@ -0,0 +1,25 @@
+--TEST--
+exec, system, passthru  — Basic command execution functions
+--SKIPIF--
+<?php
+// If this does not work for Windows, please uncomment or fix test
+// if(substr(PHP_OS, 0, 3) == "WIN") die("skip not for Windows");
+?>
+--FILE--
+<?php
+$cmd = "echo abc\n\0command";
+var_dump(exec($cmd, $output));
+var_dump($output);
+var_dump(system($cmd));
+var_dump(passthru($cmd));
+?>
+--EXPECTF--
+Warning: exec(): NULL byte detected. Possible attack in %s on line %d
+bool(false)
+NULL
+
+Warning: system(): NULL byte detected. Possible attack in %s on line %d
+bool(false)
+
+Warning: passthru(): NULL byte detected. Possible attack in %s on line %d
+bool(false)
