Add NULL byte protection to exec, system and passthru

diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index f8a22adf39a57e1d60967cb7e22f815e78c00d81..d6938a480950b8d72dc849ed070e501b271bcaf5 100644 (file)
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -188,6 +188,10 @@ static void php_exec_ex(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute a blank command");
                RETURN_FALSE;
        }
+       if (strlen(cmd) != cmd_len) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "NULL byte detected. Possible attack");
+               RETURN_FALSE;
+       }
 
        if (!ret_array) {
                ret = php_exec(mode, cmd, NULL, return_value TSRMLS_CC);

diff --git a/ext/standard/tests/misc/exec_basic1.phpt b/ext/standard/tests/misc/exec_basic1.phpt
new file mode 100644 (file)
index 0000000..514c116
--- /dev/null
+++ b/ext/standard/tests/misc/exec_basic1.phpt
@@ -0,0 +1,25 @@
+--TEST--
+exec, system, passthru  — Basic command execution functions
+--SKIPIF--
+<?php
+// If this does not work for Windows, please uncomment or fix test
+// if(substr(PHP_OS, 0, 3) == "WIN") die("skip not for Windows");
+?>
+--FILE--
+<?php
+$cmd = "echo abc\n\0command";
+var_dump(exec($cmd, $output));
+var_dump($output);
+var_dump(system($cmd));
+var_dump(passthru($cmd));
+?>
+--EXPECTF--
+Warning: exec(): NULL byte detected. Possible attack in %s on line %d
+bool(false)
+NULL
+
+Warning: system(): NULL byte detected. Possible attack in %s on line %d
+bool(false)
+
+Warning: passthru(): NULL byte detected. Possible attack in %s on line %d
+bool(false)