Fix bug #79330 - make all execution modes consistent in rejecting \0

(cherry picked from commit 14fcc813948254b84f382ff537247d8a7e5e0e62)
author: Stanislav Malyshev <stas@php.net> 2020-04-13 21:00:44 -0700
committer: Christoph M. Becker <cmbecker69@gmx.de> 2020-04-14 09:00:36 +0200
commit: 242589457b07173abb36e3ef0da5e57e077d2f87 (patch)
tree: 5c2d7fe6955f9ca74ce75b4fdc5780daf50da007
parent: ad5b00aea9680384c45dc46260750dc859b21869 (diff)
download: php-git-242589457b07173abb36e3ef0da5e57e077d2f87.tar.gz
2 files changed, 10 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 4d60d21f92..e195c79e45 100644
--- a/NEWS
+++ b/NEWS
@@ -35,6 +35,7 @@ PHP                                                                        NEWS
     (cmb)
 
 - Standard:
+  . Fixed bug #79330 (shell_exec() silently truncates after a null byte). (stas)
   . Fixed bug #79410 (system() swallows last chunk if it is exactly 4095 bytes
     without newline). (Christian Schneider)
 
diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index 7f8ce817e4..0591dcf4e0 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -537,6 +537,15 @@ PHP_FUNCTION(shell_exec)
 		Z_PARAM_STRING(command, command_len)
 	ZEND_PARSE_PARAMETERS_END();
 
+	if (!command_len) {
+		php_error_docref(NULL, E_WARNING, "Cannot execute a blank command");
+		RETURN_FALSE;
+	}
+	if (strlen(command) != command_len) {
+		php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack");
+		RETURN_FALSE;
+	}
+
 #ifdef PHP_WIN32
 	if ((in=VCWD_POPEN(command, "rt"))==NULL) {
 #else
author	Stanislav Malyshev <stas@php.net>	2020-04-13 21:00:44 -0700
committer	Christoph M. Becker <cmbecker69@gmx.de>	2020-04-14 09:00:36 +0200
commit	242589457b07173abb36e3ef0da5e57e077d2f87 (patch)
tree	5c2d7fe6955f9ca74ce75b4fdc5780daf50da007
parent	ad5b00aea9680384c45dc46260750dc859b21869 (diff)
download	php-git-242589457b07173abb36e3ef0da5e57e077d2f87.tar.gz