[PHP] exec() confused by a specially crafted string

2009-10-12 Thread Soner Tari 
When shell command returns a specially crafted string, I get an empty
array as $output of exec(), instead of the string. I can very easily
reproduce this issue as follows:

Put the following lines in bug.php:



Then put the following in echostr.php (the string is just one line
actually, new lines may be inserted by this mail agent, I provide a link
below):

65536] S=[9216->65536]";}i:9;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:25:"UDPv4
 link local: [undef]";}i:10;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:38:"UDPv4
 link remote: 81.215.105.114:1194";}i:11;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:98:"TLS
 Error: TLS key negotiation failed to occur within 60 seconds (check your 
network connectivity)";}i:12;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:31:"TLS
 Error: TLS handshake failed";}i:13;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:23:"TCP/UDP:
 Closing socket";}i:14;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:52:"SIGUSR1[soft,tls-error]
 received, process restarting";}i:15;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:26:"Restart
 pause, 2 second(s)";}i:16;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:102:"NOTE:
 OpenVPN 2.1 requires \'--script-security 2\' or higher to call user-defined 
scripts or executables";}i:17;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:24:"Re-using
 SSL/TLS context";}i:18;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:27:"LZO
 compression initialized";}i:19;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:63:"Control
 Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 
]";}i:20;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:70:"Data
 Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 
]";}i:21;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:39:"Local
 Options hash (VER=V4): \'41690919\'";}i:22;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:49:"Expected
 Remote Options hash (VER=V4): \'530fdded\'";}i:23;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:48:"Socket
 Buffers: R=[41600->65536] S=[9216->65536]";}i:24;a:4:{s:4:"Date";s:6:"Aug 
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:25:"UDPv4
 link local: [undef]";}}';
?>

When you execute bug.php, you will get an empty array printed out:

Array
(
)

But actually, $output should have contained the string above as element
0 of the array.

If you delete or add a character in the string, exec() runs
correctly and you get the intended result. So the issue is specific to
this special string. You can download echostr.php contents at this link:
http://comixwall.org/dmdocuments/echostr

The problem is not with the size of the string, because much longer
strings are fine.

Also this issue does *not* exists with passthru(), shell_exec()
functions and backtick operator. Furthermore, exec() return value, i.e.
the last line of shell command output seems fine too (it contains the
string correctly). So I believe the issue is internal to exec(),
effecting $output contents only.

As you can guess, this string is in fact serialized openvpn startup log
lines (I just escaped the single quotes for testing purposes, that's
all), it is not some manually crafted string. Therefore, the chances are
quite high that I will get more than one similar situation in the
future, specifically every time the openvpn logs are rotated, and I
start openvpn.

I have confirmed this issue on OpenBSD, Linux, and Windows. Here are the
versions:

OpenBSD:
PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar  1 2009
10:26:06) 
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH

Linux:
PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
2009 21:43:13) 
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

Windows:
PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

Since Windows version is without Suhosin patch, suhosin as culprit is
ruled out. (Also to test on Windows, I changed the exec she

Re: [PHP] exec() confused by a specially crafted string

2009-10-12 Thread Soner Tari 
On Mon, 2009-10-12 at 13:21 -0300, Jonathan Tapicer wrote:
> Confirmed, it also happens to me on Linux, PHP version:
> 
> PHP 5.2.4-2ubuntu5.7 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
> 2009 19:52:39)
> Copyright (c) 1997-2007 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
> 
> And adding a single character to the echoed string makes it work fine,
> seems like a bug to me.

Thanks, filed the bug report:
http://bugs.php.net/bug.php?id=49847


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php