1--TEST--
2GHSA-9fcc-425m-g385 - bypass CVE-2024-1874 - cmd.exe variation
3--SKIPIF--
4<?php
5if( substr(PHP_OS, 0, 3) != "WIN" )
6  die('skip Run only on Windows');
7if (!str_contains(shell_exec("does_not_exist.exe 2>&1"), "is not recognized as an internal or external command")) {
8  die("skip English locale required");
9}
10if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
11?>
12--FILE--
13<?php
14
15$batch_file_content = <<<EOT
16@echo off
17powershell -Command "Write-Output '%0%'"
18powershell -Command "Write-Output '%1%'"
19EOT;
20$batch_file_path = __DIR__ . '/ghsa-9fcc-425m-g385_002.bat';
21
22file_put_contents($batch_file_path, $batch_file_content);
23
24$descriptorspec = [STDIN, STDOUT, STDOUT];
25
26$proc = proc_open(["cmd.exe", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
27proc_close($proc);
28$proc = proc_open(["cmd.exe   ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
29proc_close($proc);
30$proc = proc_open(["cmd.exe.   ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
31proc_close($proc);
32$proc = proc_open(["cmd.exe. ...  ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
33proc_close($proc);
34$proc = proc_open(["\\cmd.exe. ...  ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
35
36$proc = proc_open(["cmd", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
37proc_close($proc);
38$proc = proc_open(["cmd   ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
39proc_close($proc);
40$proc = proc_open(["cmd.   ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
41$proc = proc_open(["cmd. ...  ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
42$proc = proc_open(["\\cmd. ...  ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
43
44?>
45--EXPECTF--
46%sghsa-9fcc-425m-g385_002.bat
47"&notepad.exe
48%sghsa-9fcc-425m-g385_002.bat
49"&notepad.exe
50%sghsa-9fcc-425m-g385_002.bat
51"&notepad.exe
52%sghsa-9fcc-425m-g385_002.bat
53"&notepad.exe
54
55Warning: proc_open(): CreateProcess failed: The system cannot find the file specified in %s on line %d
56%sghsa-9fcc-425m-g385_002.bat
57"&notepad.exe
58%sghsa-9fcc-425m-g385_002.bat
59"&notepad.exe
60
61Warning: proc_open(): CreateProcess failed: The system cannot find the file specified in %s on line %d
62
63Warning: proc_open(): CreateProcess failed: The system cannot find the file specified in %s on line %d
64
65Warning: proc_open(): CreateProcess failed: The system cannot find the file specified in %s on line %d
66--CLEAN--
67<?php
68@unlink(__DIR__ . '/ghsa-9fcc-425m-g385_002.bat');
69?>
70