Fixed bug #19313

Fixed argument count check for system/exec/passthru functions
Added a check to system/exec/passthru functions to make sure execution
parameter is not blank before attempting to execute it.

diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index a061266092ca0aae9f891c502932935a16a5d699..a855040a99910714671a6256ba0646f59c9f4046 100644 (file)
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -309,9 +309,14 @@ PHP_FUNCTION(exec)
        int arg_count = ZEND_NUM_ARGS();
        int ret;
 
-       if (arg_count > 3 || zend_get_parameters_ex(arg_count, &arg1, &arg2, &arg3) == FAILURE) {
+       if (arg_count < 1 || arg_count > 3 || zend_get_parameters_ex(arg_count, &arg1, &arg2, &arg3) == FAILURE) {
                WRONG_PARAM_COUNT;
        }
+       
+       if (!Z_STRLEN_PP(arg1)) {
+               PHP_EMPTY_EXEC_PARAM;
+       }
+       
        switch (arg_count) {
                case 1:
                        ret = php_Exec(0, Z_STRVAL_PP(arg1), NULL, return_value TSRMLS_CC);
@@ -337,9 +342,14 @@ PHP_FUNCTION(system)
        int arg_count = ZEND_NUM_ARGS();
        int ret;
 
-       if (arg_count > 2 || zend_get_parameters_ex(arg_count, &arg1, &arg2) == FAILURE) {
+       if (arg_count < 1 || arg_count > 2 || zend_get_parameters_ex(arg_count, &arg1, &arg2) == FAILURE) {
                WRONG_PARAM_COUNT;
        }
+       
+       if (!Z_STRLEN_PP(arg1)) {
+               PHP_EMPTY_EXEC_PARAM;
+       }
+       
        switch (arg_count) {
                case 1:
                        ret = php_Exec(1, Z_STRVAL_PP(arg1), NULL, return_value TSRMLS_CC);
@@ -361,9 +371,14 @@ PHP_FUNCTION(passthru)
        int arg_count = ZEND_NUM_ARGS();
        int ret;
 
-       if (arg_count > 2 || zend_get_parameters_ex(arg_count, &arg1, &arg2) == FAILURE) {
+       if (arg_count < 1 || arg_count > 2 || zend_get_parameters_ex(arg_count, &arg1, &arg2) == FAILURE) {
                WRONG_PARAM_COUNT;
        }
+       
+       if (!Z_STRLEN_PP(arg1)) {
+               PHP_EMPTY_EXEC_PARAM;
+       }
+       
        switch (arg_count) {
                case 1:
                        ret = php_Exec(3, Z_STRVAL_PP(arg1), NULL, return_value TSRMLS_CC);

diff --git a/ext/standard/exec.h b/ext/standard/exec.h
index 3f538955176ff4ea4ae7df2d6e742d837f11bcce..c1da04bd5af6d6969f9c9e9de28422fe6089dca2 100644 (file)
--- a/ext/standard/exec.h
+++ b/ext/standard/exec.h
@@ -35,4 +35,6 @@ char *php_escape_shell_cmd(char *);
 char *php_escape_shell_arg(char *);
 int php_Exec(int type, char *cmd, pval *array, pval *return_value TSRMLS_DC);
 
+#define PHP_EMPTY_EXEC_PARAM { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute a blank command"); RETURN_FALSE; }
+
 #endif /* EXEC_H */