xref: /PHP-7.0/ext/standard/exec.c (revision 478f119a)
1 /*
2    +----------------------------------------------------------------------+
3    | PHP Version 7                                                        |
4    +----------------------------------------------------------------------+
5    | Copyright (c) 1997-2017 The PHP Group                                |
6    +----------------------------------------------------------------------+
7    | This source file is subject to version 3.01 of the PHP license,      |
8    | that is bundled with this package in the file LICENSE, and is        |
9    | available through the world-wide-web at the following url:           |
10    | http://www.php.net/license/3_01.txt                                  |
11    | If you did not receive a copy of the PHP license and are unable to   |
12    | obtain it through the world-wide-web, please send a note to          |
13    | license@php.net so we can mail you a copy immediately.               |
14    +----------------------------------------------------------------------+
15    | Author: Rasmus Lerdorf <rasmus@php.net>                              |
16    |         Ilia Alshanetsky <iliaa@php.net>                             |
17    +----------------------------------------------------------------------+
18  */
19 /* $Id$ */
20 
21 #include <stdio.h>
22 #include "php.h"
23 #include <ctype.h>
24 #include "php_string.h"
25 #include "ext/standard/head.h"
26 #include "ext/standard/file.h"
27 #include "basic_functions.h"
28 #include "exec.h"
29 #include "php_globals.h"
30 #include "SAPI.h"
31 
32 #if HAVE_SYS_WAIT_H
33 #include <sys/wait.h>
34 #endif
35 #if HAVE_SIGNAL_H
36 #include <signal.h>
37 #endif
38 
39 #if HAVE_SYS_TYPES_H
40 #include <sys/types.h>
41 #endif
42 #if HAVE_SYS_STAT_H
43 #include <sys/stat.h>
44 #endif
45 #if HAVE_FCNTL_H
46 #include <fcntl.h>
47 #endif
48 
49 #if HAVE_UNISTD_H
50 #include <unistd.h>
51 #endif
52 
53 #if HAVE_LIMITS_H
54 #include <limits.h>
55 #endif
56 
57 static int cmd_max_len;
58 
59 /* {{{ PHP_MINIT_FUNCTION(exec) */
PHP_MINIT_FUNCTION(exec)60 PHP_MINIT_FUNCTION(exec)
61 {
62 #ifdef _SC_ARG_MAX
63 	cmd_max_len = sysconf(_SC_ARG_MAX);
64 	if (-1 == cmd_max_len) {
65 #ifdef _POSIX_ARG_MAX
66 		cmd_max_len = _POSIX_ARG_MAX;
67 #else
68 		cmd_max_len = 4096;
69 #endif
70 	}
71 #elif defined(ARG_MAX)
72 	cmd_max_len = ARG_MAX;
73 #elif defined(PHP_WIN32)
74 	/* Executed commands will run through cmd.exe. As long as it's the case,
75 		it's just the constant limit.*/
76 	cmd_max_len = 8192;
77 #else
78 	/* This is just an arbitrary value for the fallback case. */
79 	cmd_max_len = 4096;
80 #endif
81 
82 	return SUCCESS;
83 }
84 /* }}} */
85 
86 /* {{{ php_exec
87  * If type==0, only last line of output is returned (exec)
88  * If type==1, all lines will be printed and last lined returned (system)
89  * If type==2, all lines will be saved to given array (exec with &$array)
90  * If type==3, output will be printed binary, no lines will be saved or returned (passthru)
91  *
92  */
php_exec(int type,char * cmd,zval * array,zval * return_value)93 PHPAPI int php_exec(int type, char *cmd, zval *array, zval *return_value)
94 {
95 	FILE *fp;
96 	char *buf;
97 	size_t l = 0;
98 	int pclose_return;
99 	char *b, *d=NULL;
100 	php_stream *stream;
101 	size_t buflen, bufl = 0;
102 #if PHP_SIGCHILD
103 	void (*sig_handler)() = NULL;
104 #endif
105 
106 #if PHP_SIGCHILD
107 	sig_handler = signal (SIGCHLD, SIG_DFL);
108 #endif
109 
110 #ifdef PHP_WIN32
111 	fp = VCWD_POPEN(cmd, "rb");
112 #else
113 	fp = VCWD_POPEN(cmd, "r");
114 #endif
115 	if (!fp) {
116 		php_error_docref(NULL, E_WARNING, "Unable to fork [%s]", cmd);
117 		goto err;
118 	}
119 
120 	stream = php_stream_fopen_from_pipe(fp, "rb");
121 
122 	buf = (char *) emalloc(EXEC_INPUT_BUF);
123 	buflen = EXEC_INPUT_BUF;
124 
125 	if (type != 3) {
126 		b = buf;
127 
128 		while (php_stream_get_line(stream, b, EXEC_INPUT_BUF, &bufl)) {
129 			/* no new line found, let's read some more */
130 			if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) {
131 				if (buflen < (bufl + (b - buf) + EXEC_INPUT_BUF)) {
132 					bufl += b - buf;
133 					buflen = bufl + EXEC_INPUT_BUF;
134 					buf = erealloc(buf, buflen);
135 					b = buf + bufl;
136 				} else {
137 					b += bufl;
138 				}
139 				continue;
140 			} else if (b != buf) {
141 				bufl += b - buf;
142 			}
143 
144 			if (type == 1) {
145 				PHPWRITE(buf, bufl);
146 				if (php_output_get_level() < 1) {
147 					sapi_flush();
148 				}
149 			} else if (type == 2) {
150 				/* strip trailing whitespaces */
151 				l = bufl;
152 				while (l-- > 0 && isspace(((unsigned char *)buf)[l]));
153 				if (l != (bufl - 1)) {
154 					bufl = l + 1;
155 					buf[bufl] = '\0';
156 				}
157 				add_next_index_stringl(array, buf, bufl);
158 			}
159 			b = buf;
160 		}
161 		if (bufl) {
162 			/* strip trailing whitespaces if we have not done so already */
163 			if ((type == 2 && buf != b) || type != 2) {
164 				l = bufl;
165 				while (l-- > 0 && isspace(((unsigned char *)buf)[l]));
166 				if (l != (bufl - 1)) {
167 					bufl = l + 1;
168 					buf[bufl] = '\0';
169 				}
170 				if (type == 2) {
171 					add_next_index_stringl(array, buf, bufl);
172 				}
173 			}
174 
175 			/* Return last line from the shell command */
176 			RETVAL_STRINGL(buf, bufl);
177 		} else { /* should return NULL, but for BC we return "" */
178 			RETVAL_EMPTY_STRING();
179 		}
180 	} else {
181 		while((bufl = php_stream_read(stream, buf, EXEC_INPUT_BUF)) > 0) {
182 			PHPWRITE(buf, bufl);
183 		}
184 	}
185 
186 	pclose_return = php_stream_close(stream);
187 	efree(buf);
188 
189 done:
190 #if PHP_SIGCHILD
191 	if (sig_handler) {
192 		signal(SIGCHLD, sig_handler);
193 	}
194 #endif
195 	if (d) {
196 		efree(d);
197 	}
198 	return pclose_return;
199 err:
200 	pclose_return = -1;
201 	goto done;
202 }
203 /* }}} */
204 
php_exec_ex(INTERNAL_FUNCTION_PARAMETERS,int mode)205 static void php_exec_ex(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
206 {
207 	char *cmd;
208 	size_t cmd_len;
209 	zval *ret_code=NULL, *ret_array=NULL;
210 	int ret;
211 
212 	if (mode) {
213 		if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|z/", &cmd, &cmd_len, &ret_code) == FAILURE) {
214 			RETURN_FALSE;
215 		}
216 	} else {
217 		if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|z/z/", &cmd, &cmd_len, &ret_array, &ret_code) == FAILURE) {
218 			RETURN_FALSE;
219 		}
220 	}
221 	if (!cmd_len) {
222 		php_error_docref(NULL, E_WARNING, "Cannot execute a blank command");
223 		RETURN_FALSE;
224 	}
225 	if (strlen(cmd) != cmd_len) {
226 		php_error_docref(NULL, E_WARNING, "NULL byte detected. Possible attack");
227 		RETURN_FALSE;
228 	}
229 
230 	if (!ret_array) {
231 		ret = php_exec(mode, cmd, NULL, return_value);
232 	} else {
233 		if (Z_TYPE_P(ret_array) != IS_ARRAY) {
234 			zval_dtor(ret_array);
235 			array_init(ret_array);
236 		}
237 		ret = php_exec(2, cmd, ret_array, return_value);
238 	}
239 	if (ret_code) {
240 		zval_dtor(ret_code);
241 		ZVAL_LONG(ret_code, ret);
242 	}
243 }
244 /* }}} */
245 
246 /* {{{ proto string exec(string command [, array &output [, int &return_value]])
247    Execute an external program */
PHP_FUNCTION(exec)248 PHP_FUNCTION(exec)
249 {
250 	php_exec_ex(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0);
251 }
252 /* }}} */
253 
254 /* {{{ proto int system(string command [, int &return_value])
255    Execute an external program and display output */
PHP_FUNCTION(system)256 PHP_FUNCTION(system)
257 {
258 	php_exec_ex(INTERNAL_FUNCTION_PARAM_PASSTHRU, 1);
259 }
260 /* }}} */
261 
262 /* {{{ proto void passthru(string command [, int &return_value])
263    Execute an external program and display raw output */
PHP_FUNCTION(passthru)264 PHP_FUNCTION(passthru)
265 {
266 	php_exec_ex(INTERNAL_FUNCTION_PARAM_PASSTHRU, 3);
267 }
268 /* }}} */
269 
270 /* {{{ php_escape_shell_cmd
271    Escape all chars that could possibly be used to
272    break out of a shell command
273 
274    This function emalloc's a string and returns the pointer.
275    Remember to efree it when done with it.
276 
277    *NOT* safe for binary strings
278 */
php_escape_shell_cmd(char * str)279 PHPAPI zend_string *php_escape_shell_cmd(char *str)
280 {
281 	register int x, y;
282 	size_t l = strlen(str);
283 	uint64_t estimate = (2 * (uint64_t)l) + 1;
284 	zend_string *cmd;
285 #ifndef PHP_WIN32
286 	char *p = NULL;
287 #endif
288 
289 	/* max command line length - two single quotes - \0 byte length */
290 	if (l > cmd_max_len - 2 - 1) {
291 		php_error_docref(NULL, E_ERROR, "Command exceeds the allowed length of %d bytes", cmd_max_len);
292 		return ZSTR_EMPTY_ALLOC();
293 	}
294 
295 	cmd = zend_string_safe_alloc(2, l, 0, 0);
296 
297 	for (x = 0, y = 0; x < l; x++) {
298 		int mb_len = php_mblen(str + x, (l - x));
299 
300 		/* skip non-valid multibyte characters */
301 		if (mb_len < 0) {
302 			continue;
303 		} else if (mb_len > 1) {
304 			memcpy(ZSTR_VAL(cmd) + y, str + x, mb_len);
305 			y += mb_len;
306 			x += mb_len - 1;
307 			continue;
308 		}
309 
310 		switch (str[x]) {
311 #ifndef PHP_WIN32
312 			case '"':
313 			case '\'':
314 				if (!p && (p = memchr(str + x + 1, str[x], l - x - 1))) {
315 					/* noop */
316 				} else if (p && *p == str[x]) {
317 					p = NULL;
318 				} else {
319 					ZSTR_VAL(cmd)[y++] = '\\';
320 				}
321 				ZSTR_VAL(cmd)[y++] = str[x];
322 				break;
323 #else
324 			/* % is Windows specific for environmental variables, ^%PATH% will
325 				output PATH while ^%PATH^% will not. escapeshellcmd->val will escape all % and !.
326 			*/
327 			case '%':
328 			case '!':
329 			case '"':
330 			case '\'':
331 #endif
332 			case '#': /* This is character-set independent */
333 			case '&':
334 			case ';':
335 			case '`':
336 			case '|':
337 			case '*':
338 			case '?':
339 			case '~':
340 			case '<':
341 			case '>':
342 			case '^':
343 			case '(':
344 			case ')':
345 			case '[':
346 			case ']':
347 			case '{':
348 			case '}':
349 			case '$':
350 			case '\\':
351 			case '\x0A': /* excluding these two */
352 			case '\xFF':
353 #ifdef PHP_WIN32
354 				ZSTR_VAL(cmd)[y++] = '^';
355 #else
356 				ZSTR_VAL(cmd)[y++] = '\\';
357 #endif
358 				/* fall-through */
359 			default:
360 				ZSTR_VAL(cmd)[y++] = str[x];
361 
362 		}
363 	}
364 	ZSTR_VAL(cmd)[y] = '\0';
365 
366 	if (y > cmd_max_len + 1) {
367 		php_error_docref(NULL, E_ERROR, "Escaped command exceeds the allowed length of %d bytes", cmd_max_len);
368 		zend_string_release(cmd);
369 		return ZSTR_EMPTY_ALLOC();
370 	}
371 
372 	if ((estimate - y) > 4096) {
373 		/* realloc if the estimate was way overill
374 		 * Arbitrary cutoff point of 4096 */
375 		cmd = zend_string_truncate(cmd, y, 0);
376 	}
377 
378 	ZSTR_LEN(cmd) = y;
379 
380 	return cmd;
381 }
382 /* }}} */
383 
384 /* {{{ php_escape_shell_arg
385  */
php_escape_shell_arg(char * str)386 PHPAPI zend_string *php_escape_shell_arg(char *str)
387 {
388 	int x, y = 0;
389 	size_t l = strlen(str);
390 	zend_string *cmd;
391 	uint64_t estimate = (4 * (uint64_t)l) + 3;
392 
393 	/* max command line length - two single quotes - \0 byte length */
394 	if (l > cmd_max_len - 2 - 1) {
395 		php_error_docref(NULL, E_ERROR, "Argument exceeds the allowed length of %d bytes", cmd_max_len);
396 		return ZSTR_EMPTY_ALLOC();
397 	}
398 
399 	cmd = zend_string_safe_alloc(4, l, 2, 0); /* worst case */
400 
401 #ifdef PHP_WIN32
402 	ZSTR_VAL(cmd)[y++] = '"';
403 #else
404 	ZSTR_VAL(cmd)[y++] = '\'';
405 #endif
406 
407 	for (x = 0; x < l; x++) {
408 		int mb_len = php_mblen(str + x, (l - x));
409 
410 		/* skip non-valid multibyte characters */
411 		if (mb_len < 0) {
412 			continue;
413 		} else if (mb_len > 1) {
414 			memcpy(ZSTR_VAL(cmd) + y, str + x, mb_len);
415 			y += mb_len;
416 			x += mb_len - 1;
417 			continue;
418 		}
419 
420 		switch (str[x]) {
421 #ifdef PHP_WIN32
422 		case '"':
423 		case '%':
424 		case '!':
425 			ZSTR_VAL(cmd)[y++] = ' ';
426 			break;
427 #else
428 		case '\'':
429 			ZSTR_VAL(cmd)[y++] = '\'';
430 			ZSTR_VAL(cmd)[y++] = '\\';
431 			ZSTR_VAL(cmd)[y++] = '\'';
432 #endif
433 			/* fall-through */
434 		default:
435 			ZSTR_VAL(cmd)[y++] = str[x];
436 		}
437 	}
438 #ifdef PHP_WIN32
439 	if (y > 0 && '\\' == ZSTR_VAL(cmd)[y - 1]) {
440 		int k = 0, n = y - 1;
441 		for (; n >= 0 && '\\' == ZSTR_VAL(cmd)[n]; n--, k++);
442 		if (k % 2) {
443 			ZSTR_VAL(cmd)[y++] = '\\';
444 		}
445 	}
446 
447 	ZSTR_VAL(cmd)[y++] = '"';
448 #else
449 	ZSTR_VAL(cmd)[y++] = '\'';
450 #endif
451 	ZSTR_VAL(cmd)[y] = '\0';
452 
453 	if (y > cmd_max_len + 1) {
454 		php_error_docref(NULL, E_ERROR, "Escaped argument exceeds the allowed length of %d bytes", cmd_max_len);
455 		zend_string_release(cmd);
456 		return ZSTR_EMPTY_ALLOC();
457 	}
458 
459 	if ((estimate - y) > 4096) {
460 		/* realloc if the estimate was way overill
461 		 * Arbitrary cutoff point of 4096 */
462 		cmd = zend_string_truncate(cmd, y, 0);
463 	}
464 	ZSTR_LEN(cmd) = y;
465 	return cmd;
466 }
467 /* }}} */
468 
469 /* {{{ proto string escapeshellcmd(string command)
470    Escape shell metacharacters */
PHP_FUNCTION(escapeshellcmd)471 PHP_FUNCTION(escapeshellcmd)
472 {
473 	char *command;
474 	size_t command_len;
475 
476 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &command, &command_len) == FAILURE) {
477 		return;
478 	}
479 
480 	if (command_len) {
481 		if (command_len != strlen(command)) {
482 			php_error_docref(NULL, E_ERROR, "Input string contains NULL bytes");
483 			return;
484 		}
485 		RETVAL_STR(php_escape_shell_cmd(command));
486 	} else {
487 		RETVAL_EMPTY_STRING();
488 	}
489 }
490 /* }}} */
491 
492 /* {{{ proto string escapeshellarg(string arg)
493    Quote and escape an argument for use in a shell command */
PHP_FUNCTION(escapeshellarg)494 PHP_FUNCTION(escapeshellarg)
495 {
496 	char *argument;
497 	size_t argument_len;
498 
499 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &argument, &argument_len) == FAILURE) {
500 		return;
501 	}
502 
503 	if (argument) {
504 		if (argument_len != strlen(argument)) {
505 			php_error_docref(NULL, E_ERROR, "Input string contains NULL bytes");
506 			return;
507 		}
508 		RETVAL_STR(php_escape_shell_arg(argument));
509 	}
510 }
511 /* }}} */
512 
513 /* {{{ proto string shell_exec(string cmd)
514    Execute command via shell and return complete output as string */
PHP_FUNCTION(shell_exec)515 PHP_FUNCTION(shell_exec)
516 {
517 	FILE *in;
518 	char *command;
519 	size_t command_len;
520 	zend_string *ret;
521 	php_stream *stream;
522 
523 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &command, &command_len) == FAILURE) {
524 		return;
525 	}
526 
527 #ifdef PHP_WIN32
528 	if ((in=VCWD_POPEN(command, "rt"))==NULL) {
529 #else
530 	if ((in=VCWD_POPEN(command, "r"))==NULL) {
531 #endif
532 		php_error_docref(NULL, E_WARNING, "Unable to execute '%s'", command);
533 		RETURN_FALSE;
534 	}
535 
536 	stream = php_stream_fopen_from_pipe(in, "rb");
537 	ret = php_stream_copy_to_mem(stream, PHP_STREAM_COPY_ALL, 0);
538 	php_stream_close(stream);
539 
540 	if (ret && ZSTR_LEN(ret) > 0) {
541 		RETVAL_STR(ret);
542 	}
543 }
544 /* }}} */
545 
546 #ifdef HAVE_NICE
547 /* {{{ proto bool proc_nice(int priority)
548    Change the priority of the current process */
549 PHP_FUNCTION(proc_nice)
550 {
551 	zend_long pri;
552 
553 	if (zend_parse_parameters(ZEND_NUM_ARGS(), "l", &pri) == FAILURE) {
554 		RETURN_FALSE;
555 	}
556 
557 	errno = 0;
558 	php_ignore_value(nice(pri));
559 	if (errno) {
560 		php_error_docref(NULL, E_WARNING, "Only a super user may attempt to increase the priority of a process");
561 		RETURN_FALSE;
562 	}
563 
564 	RETURN_TRUE;
565 }
566 /* }}} */
567 #endif
568 
569 /*
570  * Local variables:
571  * tab-width: 4
572  * c-basic-offset: 4
573  * End:
574  * vim600: sw=4 ts=4 fdm=marker
575  * vim<600: sw=4 ts=4
576  */
577