exec() confused by a specially crafted string

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

When shell command returns a specially crafted string, I get an empty
array as $output of exec(), instead of the string. I can very easily
reproduce this issue as follows:

Put the following lines in bug.php:

<?php
exec('php echostr.php', $output);
print_r($output);
echo "\n";
?>

Then put the following in echostr.php (the string is just one line
actually, new lines may be inserted by this mail agent, I provide a link
below):

<?php	
echo 'a:25:{i:0;a:4:{s:4:"Date";s:6:"Aug
7";s:4:"Time";s:8:"16:00:01";s:7:"Process";s:16:"newsyslog[23117]";s:3:"Log";s:19:"logfile turned over";}i:1;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:76:"OpenVPN 2.1_rc18 x86_64-unknown-openbsd4.5 [SSL] [LZO1] built on Jun 26 2009";}i:2;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:102:"NOTE: OpenVPN 2.1 requires \'--script-security 2\' or higher to call user-defined scripts or executables";}i:3;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:27:"LZO compression initialized";}i:4;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:63:"Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]";}i:5;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:70:"Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]";}i:6;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:39:"Local Options hash (VER=V4): \'41690919\'";}i:7;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s:49:"Expected Remote Options hash (VER=V4): \'530fdded\'";}i:8;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:48:"Socket Buffers: R=[41600->65536] S=[9216->65536]";}i:9;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:25:"UDPv4 link local: [undef]";}i:10;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:38:"UDPv4 link remote: 81.215.105.114:1194";}i:11;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:98:"TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)";}i:12;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:31:"TLS Error: TLS handshake failed";}i:13;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:23:"TCP/UDP: Closing socket";}i:14;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:52:"SIGUSR1[soft,tls-error] received, process restarting";}i:15;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:26:"Restart pause, 2 second(s)";}i:16;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:102:"NOTE: OpenVPN 2.1 requires \'--script-security 2\' or higher to call user-defined scripts or executables";}i:17;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:24:"Re-using SSL/TLS context";}i:18;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:27:"LZO compression initialized";}i:19;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:63:"Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]";}i:20;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:70:"Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]";}i:21;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:39:"Local Options hash (VER=V4): \'41690919\'";}i:22;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:49:"Expected Remote Options hash (VER=V4): \'530fdded\'";}i:23;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:48:"Socket Buffers: R=[41600->65536] S=[9216->65536]";}i:24;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:25:"UDPv4 link local: [undef]";}}';
?>

When you execute bug.php, you will get an empty array printed out:

Array
(
)

But actually, $output should have contained the string above as element
0 of the array.

If you delete or add a character in the string, exec() runs
correctly and you get the intended result. So the issue is specific to
this special string. You can download echostr.php contents at this link:
http://comixwall.org/dmdocuments/echostr

The problem is not with the size of the string, because much longer
strings are fine.

Also this issue does *not* exists with passthru(), shell_exec()
functions and backtick operator. Furthermore, exec() return value, i.e.
the last line of shell command output seems fine too (it contains the
string correctly). So I believe the issue is internal to exec(),
effecting $output contents only.

As you can guess, this string is in fact serialized openvpn startup log
lines (I just escaped the single quotes for testing purposes, that's
all), it is not some manually crafted string. Therefore, the chances are
quite high that I will get more than one similar situation in the
future, specifically every time the openvpn logs are rotated, and I
start openvpn.

I have confirmed this issue on OpenBSD, Linux, and Windows. Here are the
versions:

OpenBSD:
PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar  1 2009
10:26:06) 
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
    with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH

Linux:
PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
2009 21:43:13) 
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

Windows:
PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

Since Windows version is without Suhosin patch, suhosin as culprit is
ruled out. (Also to test on Windows, I changed the exec shell command as
'php.exe echostr.php' of course.)

I would appreciate if somebody could also confirm my observations, so
that I can file a bug report (please use the link above to download
echostr.php contents to be sure we are testing the same string). Or
else, if you have an explanation, I'd like to hear about it.



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux