diff options
author | Stanislav Malyshev <stas@php.net> | 2020-04-13 21:00:44 -0700 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-04-14 09:00:36 +0200 |
commit | 242589457b07173abb36e3ef0da5e57e077d2f87 (patch) | |
tree | 5c2d7fe6955f9ca74ce75b4fdc5780daf50da007 | |
parent | ad5b00aea9680384c45dc46260750dc859b21869 (diff) | |
download | php-git-242589457b07173abb36e3ef0da5e57e077d2f87.tar.gz |
Fix bug #79330 - make all execution modes consistent in rejecting \0
(cherry picked from commit 14fcc813948254b84f382ff537247d8a7e5e0e62)
-rw-r--r-- | NEWS | 1 | ||||
-rw-r--r-- | ext/standard/exec.c | 9 |
2 files changed, 10 insertions, 0 deletions
@@ -35,6 +35,7 @@ PHP NEWS (cmb) - Standard: + . Fixed bug #79330 (shell_exec() silently truncates after a null byte). (stas) . Fixed bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline). (Christian Schneider) diff --git a/ext/standard/exec.c b/ext/standard/exec.c index 7f8ce817e4..0591dcf4e0 100644 --- a/ext/standard/exec.c +++ b/ext/standard/exec.c @@ -537,6 +537,15 @@ PHP_FUNCTION(shell_exec) Z_PARAM_STRING(command, command_len) ZEND_PARSE_PARAMETERS_END(); + if (!command_len) { + php_error_docref(NULL, E_WARNING, "Cannot execute a blank command"); + RETURN_FALSE; + } + if (strlen(command) != command_len) { + php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack"); + RETURN_FALSE; + } + #ifdef PHP_WIN32 if ((in=VCWD_POPEN(command, "rt"))==NULL) { #else |