/*
+----------------------------------------------------------------------+
| PHP Version 5 |
+----------------------------------------------------------------------+
| Copyright (c) 1997-2016 The PHP Group |
+----------------------------------------------------------------------+
| This source file is subject to version 3.01 of the PHP license, |
| that is bundled with this package in the file LICENSE, and is |
| available through the world-wide-web at the following url: |
| http://www.php.net/license/3_01.txt |
| If you did not receive a copy of the PHP license and are unable to |
| obtain it through the world-wide-web, please send a note to |
| license@php.net so we can mail you a copy immediately. |
+----------------------------------------------------------------------+
| Author: Rasmus Lerdorf <rasmus@php.net> |
| Ilia Alshanetsky <iliaa@php.net> |
+----------------------------------------------------------------------+
*/
/* $Id$ */
#include <stdio.h>
#include "php.h"
#include <ctype.h>
#include "php_string.h"
#include "ext/standard/head.h"
#include "ext/standard/file.h"
#include "basic_functions.h"
#include "exec.h"
#include "php_globals.h"
#include "SAPI.h"
#if HAVE_SYS_WAIT_H
#include <sys/wait.h>
#endif
#if HAVE_SIGNAL_H
#include <signal.h>
#endif
#if HAVE_SYS_TYPES_H
#include <sys/types.h>
#endif
#if HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
#if HAVE_FCNTL_H
#include <fcntl.h>
#endif
#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#if HAVE_LIMITS_H
#include <limits.h>
#endif
#ifdef PHP_WIN32
# include "win32/php_stdint.h"
#else
# if HAVE_INTTYPES_H
# include <inttypes.h>
# elif HAVE_STDINT_H
# include <stdint.h>
# endif
#endif
static int cmd_max_len;
/* {{{ PHP_MINIT_FUNCTION(exec) */
PHP_MINIT_FUNCTION(exec)
{
#ifdef _SC_ARG_MAX
cmd_max_len = sysconf(_SC_ARG_MAX);
if (-1 == cmd_max_len) {
#ifdef _POSIX_ARG_MAX
cmd_max_len = _POSIX_ARG_MAX;
#else
cmd_max_len = 4096;
#endif
}
#elif defined(ARG_MAX)
cmd_max_len = ARG_MAX;
#elif defined(PHP_WIN32)
/* Executed commands will run through cmd.exe. As long as it's the case,
it's just the constant limit.*/
cmd_max_len = 8192;
#else
/* This is just an arbitrary value for the fallback case. */
cmd_max_len = 4096;
#endif
return SUCCESS;
}
/* }}} */
/* {{{ php_exec
* If type==0, only last line of output is returned (exec)
* If type==1, all lines will be printed and last lined returned (system)
* If type==2, all lines will be saved to given array (exec with &$array)
* If type==3, output will be printed binary, no lines will be saved or returned (passthru)
*
*/
PHPAPI int php_exec(int type, char *cmd, zval *array, zval *return_value TSRMLS_DC)
{
FILE *fp;
char *buf;
int l = 0, pclose_return;
char *b, *d=NULL;
php_stream *stream;
size_t buflen, bufl = 0;
#if PHP_SIGCHILD
void (*sig_handler)() = NULL;
#endif
#if PHP_SIGCHILD
sig_handler = signal (SIGCHLD, SIG_DFL);
#endif
#ifdef PHP_WIN32
fp = VCWD_POPEN(cmd, "rb");
#else
fp = VCWD_POPEN(cmd, "r");
#endif
if (!fp) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd);
goto err;
}
stream = php_stream_fopen_from_pipe(fp, "rb");
buf = (char *) emalloc(EXEC_INPUT_BUF);
buflen = EXEC_INPUT_BUF;
if (type != 3) {
b = buf;
while (php_stream_get_line(stream, b, EXEC_INPUT_BUF, &bufl)) {
/* no new line found, let's read some more */
if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) {
if (buflen < (bufl + (b - buf) + EXEC_INPUT_BUF)) {
bufl += b - buf;
buflen = bufl + EXEC_INPUT_BUF;
buf = erealloc(buf, buflen);
b = buf + bufl;
} else {
b += bufl;
}
continue;
} else if (b != buf) {
bufl += b - buf;
}
if (type == 1) {
PHPWRITE(buf, bufl);
if (php_output_get_level(TSRMLS_C) < 1) {
sapi_flush(TSRMLS_C);
}
} else if (type == 2) {
/* strip trailing whitespaces */
l = bufl;
while (l-- && isspace(((unsigned char *)buf)[l]));
if (l != (int)(bufl - 1)) {
bufl = l + 1;
buf[bufl] = '\0';
}
add_next_index_stringl(array, buf, bufl, 1);
}
b = buf;
}
if (bufl) {
/* strip trailing whitespaces if we have not done so already */
if ((type == 2 && buf != b) || type != 2) {
l = bufl;
while (l-- && isspace(((unsigned char *)buf)[l]));
if (l != (int)(bufl - 1)) {
bufl = l + 1;
buf[bufl] = '\0';
}
if (type == 2) {
add_next_index_stringl(array, buf, bufl, 1);
}
}
/* Return last line from the shell command */
RETVAL_STRINGL(buf, bufl, 1);
} else { /* should return NULL, but for BC we return "" */
RETVAL_EMPTY_STRING();
}
} else {
while((bufl = php_stream_read(stream, buf, EXEC_INPUT_BUF)) > 0) {
PHPWRITE(buf, bufl);
}
}
pclose_return = php_stream_close(stream);
efree(buf);
done:
#if PHP_SIGCHILD
if (sig_handler) {
signal(SIGCHLD, sig_handler);
}
#endif
if (d) {
efree(d);
}
return pclose_return;
err:
pclose_return = -1;
goto done;
}
/* }}} */
static void php_exec_ex(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
{
char *cmd;
int cmd_len;
zval *ret_code=NULL, *ret_array=NULL;
int ret;
if (mode) {
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z/", &cmd, &cmd_len, &ret_code) == FAILURE) {
RETURN_FALSE;
}
} else {
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z/z/", &cmd, &cmd_len, &ret_array, &ret_code) == FAILURE) {
RETURN_FALSE;
}
}
if (!cmd_len) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute a blank command");
RETURN_FALSE;
}
if (strlen(cmd) != cmd_len) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "NULL byte detected. Possible attack");
RETURN_FALSE;
}
if (!ret_array) {
ret = php_exec(mode, cmd, NULL, return_value TSRMLS_CC);
} else {
if (Z_TYPE_P(ret_array) != IS_ARRAY) {
zval_dtor(ret_array);
array_init(ret_array);
}
ret = php_exec(2, cmd, ret_array, return_value TSRMLS_CC);
}
if (ret_code) {
zval_dtor(ret_code);
ZVAL_LONG(ret_code, ret);
}
}
/* }}} */
/* {{{ proto string exec(string command [, array &output [, int &return_value]])
Execute an external program */
PHP_FUNCTION(exec)
{
php_exec_ex(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0);
}
/* }}} */
/* {{{ proto int system(string command [, int &return_value])
Execute an external program and display output */
PHP_FUNCTION(system)
{
php_exec_ex(INTERNAL_FUNCTION_PARAM_PASSTHRU, 1);
}
/* }}} */
/* {{{ proto void passthru(string command [, int &return_value])
Execute an external program and display raw output */
PHP_FUNCTION(passthru)
{
php_exec_ex(INTERNAL_FUNCTION_PARAM_PASSTHRU, 3);
}
/* }}} */
/* {{{ php_escape_shell_cmd
Escape all chars that could possibly be used to
break out of a shell command
This function emalloc's a string and returns the pointer.
Remember to efree it when done with it.
*NOT* safe for binary strings
*/
PHPAPI char *php_escape_shell_cmd(char *str)
{
register int x, y;
size_t l = strlen(str);
uint64_t estimate = (2 * (uint64_t)l) + 1;
char *cmd;
char *p = NULL;
TSRMLS_FETCH();
/* max command line length - two single quotes - \0 byte length */
if (l > cmd_max_len - 2 - 1) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Command exceeds the allowed length of %d bytes", cmd_max_len);
return NULL;
}
cmd = safe_emalloc(2, l, 1);
for (x = 0, y = 0; x < l; x++) {
int mb_len = php_mblen(str + x, (l - x));
/* skip non-valid multibyte characters */
if (mb_len < 0) {
continue;
} else if (mb_len > 1) {
memcpy(cmd + y, str + x, mb_len);
y += mb_len;
x += mb_len - 1;
continue;
}
switch (str[x]) {
#ifndef PHP_WIN32
case '"':
case '\'':
if (!p && (p = memchr(str + x + 1, str[x], l - x - 1))) {
/* noop */
} else if (p && *p == str[x]) {
p = NULL;
} else {
cmd[y++] = '\\';
}
cmd[y++] = str[x];
break;
#else
/* % is Windows specific for enviromental variables, ^%PATH% will
output PATH while ^%PATH^% will not. escapeshellcmd will escape all % and !.
*/
case '%':
case '!':
case '"':
case '\'':
#endif
case '#': /* This is character-set independent */
case '&':
case ';':
case '`':
case '|':
case '*':
case '?':
case '~':
case '<':
case '>':
case '^':
case '(':
case ')':
case '[':
case ']':
case '{':
case '}':
case '$':
case '\\':
case '\x0A': /* excluding these two */
case '\xFF':
#ifdef PHP_WIN32
cmd[y++] = '^';
#else
cmd[y++] = '\\';
#endif
/* fall-through */
default:
cmd[y++] = str[x];
}
}
cmd[y] = '\0';
if (y > cmd_max_len + 1) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped command exceeds the allowed length of %d bytes", cmd_max_len);
efree(cmd);
return NULL;
}
if ((estimate - y) > 4096) {
/* realloc if the estimate was way overill
* Arbitrary cutoff point of 4096 */
cmd = erealloc(cmd, y + 1);
}
return cmd;
}
/* }}} */
/* {{{ php_escape_shell_arg
*/
PHPAPI char *php_escape_shell_arg(char *str)
{
int x, y = 0;
size_t l = strlen(str);
char *cmd;
uint64_t estimate = (4 * (uint64_t)l) + 3;
TSRMLS_FETCH();
/* max command line length - two single quotes - \0 byte length */
if (l > cmd_max_len - 2 - 1) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Argument exceeds the allowed length of %d bytes", cmd_max_len);
return NULL;
}
cmd = safe_emalloc(4, l, 3); /* worst case */
#ifdef PHP_WIN32
cmd[y++] = '"';
#else
cmd[y++] = '\'';
#endif
for (x = 0; x < l; x++) {
int mb_len = php_mblen(str + x, (l - x));
/* skip non-valid multibyte characters */
if (mb_len < 0) {
continue;
} else if (mb_len > 1) {
memcpy(cmd + y, str + x, mb_len);
y += mb_len;
x += mb_len - 1;
continue;
}
switch (str[x]) {
#ifdef PHP_WIN32
case '"':
case '%':
case '!':
cmd[y++] = ' ';
break;
#else
case '\'':
cmd[y++] = '\'';
cmd[y++] = '\\';
cmd[y++] = '\'';
#endif
/* fall-through */
default:
cmd[y++] = str[x];
}
}
#ifdef PHP_WIN32
if (y > 0 && '\\' == cmd[y - 1]) {
int k = 0, n = y - 1;
for (; n >= 0 && '\\' == cmd[n]; n--, k++);
if (k % 2) {
cmd[y++] = '\\';
}
}
cmd[y++] = '"';
#else
cmd[y++] = '\'';
#endif
cmd[y] = '\0';
if (y > cmd_max_len + 1) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped argument exceeds the allowed length of %d bytes", cmd_max_len);
efree(cmd);
return NULL;
}
if ((estimate - y) > 4096) {
/* realloc if the estimate was way overill
* Arbitrary cutoff point of 4096 */
cmd = erealloc(cmd, y + 1);
}
return cmd;
}
/* }}} */
/* {{{ proto string escapeshellcmd(string command)
Escape shell metacharacters */
PHP_FUNCTION(escapeshellcmd)
{
char *command;
int command_len;
char *cmd = NULL;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &command, &command_len) == FAILURE) {
return;
}
if (command_len) {
if (command_len != strlen(command)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input string contains NULL bytes");
return;
}
cmd = php_escape_shell_cmd(command);
RETVAL_STRINGL_CHECK(cmd, strlen(cmd), 0);
} else {
RETVAL_EMPTY_STRING();
}
}
/* }}} */
/* {{{ proto string escapeshellarg(string arg)
Quote and escape an argument for use in a shell command */
PHP_FUNCTION(escapeshellarg)
{
char *argument;
int argument_len;
char *cmd = NULL;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &argument, &argument_len) == FAILURE) {
return;
}
if (argument) {
if (argument_len != strlen(argument)) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input string contains NULL bytes");
return;
}
cmd = php_escape_shell_arg(argument);
RETVAL_STRINGL_CHECK(cmd, strlen(cmd), 0);
}
}
/* }}} */
/* {{{ proto string shell_exec(string cmd)
Execute command via shell and return complete output as string */
PHP_FUNCTION(shell_exec)
{
FILE *in;
size_t total_readbytes;
char *command;
int command_len;
char *ret;
php_stream *stream;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &command, &command_len) == FAILURE) {
return;
}
#ifdef PHP_WIN32
if ((in=VCWD_POPEN(command, "rt"))==NULL) {
#else
if ((in=VCWD_POPEN(command, "r"))==NULL) {
#endif
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to execute '%s'", command);
RETURN_FALSE;
}
stream = php_stream_fopen_from_pipe(in, "rb");
total_readbytes = php_stream_copy_to_mem(stream, &ret, PHP_STREAM_COPY_ALL, 0);
php_stream_close(stream);
if (total_readbytes > 0) {
RETVAL_STRINGL_CHECK(ret, total_readbytes, 0);
}
}
/* }}} */
#ifdef HAVE_NICE
/* {{{ proto bool proc_nice(int priority)
Change the priority of the current process */
PHP_FUNCTION(proc_nice)
{
long pri;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &pri) == FAILURE) {
RETURN_FALSE;
}
errno = 0;
php_ignore_value(nice(pri));
if (errno) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Only a super user may attempt to increase the priority of a process");
RETURN_FALSE;
}
RETURN_TRUE;
}
/* }}} */
#endif
/*
* Local variables:
* tab-width: 4
* c-basic-offset: 4
* End:
* vim600: sw=4 ts=4 fdm=marker
* vim<600: sw=4 ts=4
*/
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| array.c | File | 130.19 KB | 0644 |
|
| assert.c | File | 9.31 KB | 0644 |
|
| base64.c | File | 7.73 KB | 0644 |
|
| base64.h | File | 1.57 KB | 0644 |
|
| basic_functions.c | File | 169.08 KB | 0644 |
|
| basic_functions.h | File | 7.42 KB | 0644 |
|
| browscap.c | File | 16.82 KB | 0644 |
|
| crc32.c | File | 1.77 KB | 0644 |
|
| crc32.h | File | 4.78 KB | 0644 |
|
| credits.c | File | 5.91 KB | 0644 |
|
| credits.h | File | 1.7 KB | 0644 |
|
| credits_ext.h | File | 5.51 KB | 0644 |
|
| credits_sapi.h | File | 1.63 KB | 0644 |
|
| crypt.c | File | 8.43 KB | 0644 |
|
| crypt_blowfish.c | File | 31.68 KB | 0644 |
|
| crypt_blowfish.h | File | 1.05 KB | 0644 |
|
| crypt_freesec.c | File | 21.64 KB | 0644 |
|
| crypt_freesec.h | File | 662 B | 0644 |
|
| crypt_sha256.c | File | 21.77 KB | 0644 |
|
| crypt_sha512.c | File | 26.45 KB | 0644 |
|
| css.c | File | 2.43 KB | 0644 |
|
| css.h | File | 1.21 KB | 0644 |
|
| cyr_convert.c | File | 11.56 KB | 0644 |
|
| datetime.c | File | 3.85 KB | 0644 |
|
| dir.c | File | 15.08 KB | 0644 |
|
| dl.c | File | 9.18 KB | 0644 |
|
| dl.h | File | 1.57 KB | 0644 |
|
| dns.c | File | 27.68 KB | 0644 |
|
| exec.c | File | 13.13 KB | 0644 |
|
| exec.h | File | 1.69 KB | 0644 |
|
| file.c | File | 68.46 KB | 0644 |
|
| file.h | File | 4.63 KB | 0644 |
|
| filestat.c | File | 34.39 KB | 0644 |
|
| filters.c | File | 56.51 KB | 0644 |
|
| flock_compat.c | File | 6.9 KB | 0644 |
|
| formatted_print.c | File | 20.19 KB | 0644 |
|
| fsock.c | File | 3.89 KB | 0644 |
|
| ftok.c | File | 2.22 KB | 0644 |
|
| ftp_fopen_wrapper.c | File | 32.1 KB | 0644 |
|
| head.c | File | 9.18 KB | 0644 |
|
| head.h | File | 1.62 KB | 0644 |
|
| html.c | File | 48.15 KB | 0644 |
|
| html.h | File | 2.71 KB | 0644 |
|
| html_tables.h | File | 471.57 KB | 0644 |
|
| http.c | File | 7.7 KB | 0644 |
|
| http_fopen_wrapper.c | File | 33.65 KB | 0644 |
|
| image.c | File | 40.83 KB | 0644 |
|
| incomplete_class.c | File | 5.61 KB | 0644 |
|
| info.c | File | 44.03 KB | 0644 |
|
| info.h | File | 20.2 KB | 0644 |
|
| iptc.c | File | 9.85 KB | 0644 |
|
| lcg.c | File | 3.11 KB | 0644 |
|
| levenshtein.c | File | 4.05 KB | 0644 |
|
| link.c | File | 5.83 KB | 0644 |
|
| mail.c | File | 13.74 KB | 0644 |
|
| math.c | File | 29.12 KB | 0644 |
|
| md5.c | File | 10.65 KB | 0644 |
|
| md5.h | File | 2.12 KB | 0644 |
|
| metaphone.c | File | 11.84 KB | 0644 |
|
| microtime.c | File | 4.36 KB | 0644 |
|
| pack.c | File | 27.05 KB | 0644 |
|
| pack.h | File | 1.25 KB | 0644 |
|
| pageinfo.c | File | 3.92 KB | 0644 |
|
| password.c | File | 12.06 KB | 0644 |
|
| php_array.h | File | 4.62 KB | 0644 |
|
| php_assert.h | File | 1.4 KB | 0644 |
|
| php_browscap.h | File | 1.3 KB | 0644 |
|
| php_crypt.h | File | 1.63 KB | 0644 |
|
| php_crypt_r.c | File | 10.78 KB | 0644 |
|
| php_crypt_r.h | File | 2 KB | 0644 |
|
| php_dir.h | File | 1.67 KB | 0644 |
|
| php_dns.h | File | 2.82 KB | 0644 |
|
| php_ext_syslog.h | File | 1.47 KB | 0644 |
|
| php_filestat.h | File | 3.28 KB | 0644 |
|
| php_fopen_wrapper.c | File | 11.49 KB | 0644 |
|
| php_fopen_wrappers.h | File | 1.92 KB | 0644 |
|
| php_image.h | File | 2.37 KB | 0644 |
|
| php_incomplete_class.h | File | 2.47 KB | 0644 |
|
| php_lcg.h | File | 1.5 KB | 0644 |
|
| php_mail.h | File | 1.37 KB | 0644 |
|
| php_password.h | File | 1.58 KB | 0644 |
|
| php_rand.h | File | 2.56 KB | 0644 |
|
| php_smart_str.h | File | 6.57 KB | 0644 |
|
| php_smart_str_public.h | File | 1.29 KB | 0644 |
|
| php_standard.h | File | 2.21 KB | 0644 |
|
| php_string.h | File | 6.23 KB | 0644 |
|
| php_var.h | File | 7.33 KB | 0644 |
|
| php_versioning.h | File | 1.37 KB | 0644 |
|
| proc_open.c | File | 26 KB | 0644 |
|
| proc_open.h | File | 1.81 KB | 0644 |
|
| quot_print.c | File | 7.51 KB | 0644 |
|
| quot_print.h | File | 1.51 KB | 0644 |
|
| rand.c | File | 11.01 KB | 0644 |
|
| scanf.c | File | 29.45 KB | 0644 |
|
| scanf.h | File | 2.27 KB | 0644 |
|
| sha1.c | File | 11.58 KB | 0644 |
|
| sha1.h | File | 1.71 KB | 0644 |
|
| soundex.c | File | 3.29 KB | 0644 |
|
| streamsfuncs.c | File | 45.17 KB | 0644 |
|
| string.c | File | 135.19 KB | 0644 |
|
| strnatcmp.c | File | 4.57 KB | 0644 |
|
| syslog.c | File | 6.35 KB | 0644 |
|
| type.c | File | 9.06 KB | 0644 |
|
| uniqid.c | File | 2.62 KB | 0644 |
|
| url.c | File | 17.9 KB | 0644 |
|
| url.h | File | 2.28 KB | 0644 |
|
| url_scanner_ex.c | File | 27.89 KB | 0644 |
|
| url_scanner_ex.h | File | 2.09 KB | 0644 |
|
| user_filters.c | File | 18.47 KB | 0644 |
|
| uuencode.c | File | 6.63 KB | 0644 |
|
| var.c | File | 29.15 KB | 0644 |
|
| var_unserializer.c | File | 29.18 KB | 0644 |
|
| versioning.c | File | 5.87 KB | 0644 |
|