PHP :: Bug #18291 :: exec() arguments (+suggested solution)

Bug #18291

exec() arguments (+suggested solution)

Submitted:

2002-07-11 22:44 UTC

Modified:

2003-08-05 15:17 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

php dot hc at saustrup dot net

Assigned:

Status:

Closed

Package:

Program Execution

PHP Version:

4.3.3RC2-dev

OS:

RedHat Linux 7.3

Private report:

CVE-ID:

None

[2002-07-11 22:44 UTC] php dot hc at saustrup dot net

This kept me up all night :-) I needed to pass a textstring to an external program, and did something like this in PHP:

exec('/usr/bin/binary 1 2 3 "a b c" 4 5 6');

It kept screwing up, and after debugging it I realized that the exec() function actually called /usr/bin/binary with 9 arguments, and not 7 as I thought it would. Apparently PHP's exec() just splits up the string where it finds whitespaces and thinks they're different arguments. I'm not sure about the proper solution, but it would be awesome with a more "strict" exec()-like function that could work something like this:

newexec('/usr/bin/binary',array('1','2','3','a b c','4','5','6'));

That way, there would be NO doubt about the arguments :-)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-07-12 18:51 UTC] sniper@php.net

FYI: PHP uses popen(), not execve()..

In 4.2.1 there is pcntl_exec() which behaves similarly to
the system execve. Maybe that's what you want to use..?


Try these scripts:

shell_args_1arg.php:
<?php echo exec('./test.sh "213 123"'); ?>

shell_args_2arg.php:
<?php echo exec('./test.sh 213 123'); ?>

test.sh:
<----8<---->
#!/bin/sh

echo $1
<----8<---->

[2002-07-19 20:09 UTC] php dot hc at saustrup dot net

I tried what you suggested, and this is what came out:

Script 1: "213
Script 2: 213

I'm a security freak, so I have safe_mode enabled. Apparently safe_mode is infact the cause of this error, because when I disabled it in php.ini, the two scripts worked like you suggested:

Script 1: 213 123
Script 2: 213

Please test this yourself and post the results.

[2002-07-19 20:56 UTC] sniper@php.net

Seems like safe-mode does mess up the parameters.
I'm not sure if this is actually the correct behaviour...

[2003-08-05 15:17 UTC] iliaa@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.