exec() confused by a specially crafted string

When shell command returns a specially crafted string, I get an empty
array as $output of exec(), instead of the string. I can very easily
reproduce this issue as follows:

Put the following lines in bug.php:

exec('php echostr.php', $output);
print_r($output);
echo "\n";
?>

Then put the following in echostr.php (the string is just one line
actually, new lines may be inserted by this mail agent, I provide a link
below):

echo 'a:25:{i:0;a:4:{s:4:"Date";s:6:"Aug
7";s:4:"Time";s:8:"16:00:01";s:7:"Process";s:16:"newsyslog[2 3117]";s:3:"Log=
";s:19:"logfile turned over";}i:1;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s=
:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s: 76:"OpenVPN 2.1=
_rc18 x86_64-unknown-openbsd4.5 [SSL] [LZO1] built on Jun 26 2009";}i:2;a:4=
:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"ope=
nvpn[226]";s:3:"Log";s:102:"NOTE: OpenVPN 2.1 requires \'--script-security =
2\' or higher to call user-defined scripts or executables";}i:3;a:4:{s:4:"D=
ate";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[22 6=
]";s:3:"Log";s:27:"LZO compression initialized";}i:4;a:4:{s:4:"Date";s:6:"A=
ug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[22 6]";s:3:"Log=
";s:63:"Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]";}i=
:5;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:1=
2:"openvpn[226]";s:3:"Log";s:70:"Data Channel MTU parms [ L:1542 D:1450 EF:=
42 EB:135 ET:0 EL:0 AF:3/1 ]";}i:6;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";=
s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log";s :39:"Local Opti=
ons hash (VER=3DV4): \'41690919\'";}i:7;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"T=
ime";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"L og";s:49:"Expec=
ted Remote Options hash (VER=3DV4): \'530fdded\'";}i:8;a:4:{s:4:"Date";s:6:=
"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31 938]";s:3:=
"Log";s:48:"Socket Buffers: R=3D[41600->65536] S=3D[9216->65536]";}i:9;a:4:=
{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"open=
vpn[31938]";s:3:"Log";s:25:"UDPv4 link local: [undef]";}i:10;a:4:{s:4:"Date=
";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31 938]=
";s:3:"Log";s:38:"UDPv4 link remote: 81.215.105.114:1194";}i:11;a:4:{s:4:"D=
ate";s:6:"Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31 9=
38]";s:3:"Log";s:98:"TLS Error: TLS key negotiation failed to occur within =
60 seconds (check your network connectivity)";}i:12;a:4:{s:4:"Date";s:6:"Au=
g 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31 938]";s:3:"Lo=
g";s:31:"TLS Error: TLS handshake failed";}i:13;a:4:{s:4:"Date";s:6:"Aug 10=
";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[3193 8]";s:3:"Log";s=
:23:"TCP/UDP: Closing socket";}i:14;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time"=
;s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log ";s:52:"SIGUSR1=
[soft,tls-error] received, process restarting";}i:15;a:4:{s:4:"Date";s:6:"A=
ug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31 938]";s:3:"L=
og";s:26:"Restart pause, 2 second(s)";}i:16;a:4:{s:4:"Date";s:6:"Aug 10";s:=
4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]"; s:3:"Log";s:102=
:"NOTE: OpenVPN 2.1 requires \'--script-security 2\' or higher to call user=
-defined scripts or executables";}i:17;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Ti=
me";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:" Log";s:24:"Re-u=
sing SSL/TLS context";}i:18;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22=
:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:27:" LZO compression=
initialized";}i:19;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";=
s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:63:"Control Channel MTU par=
ms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]";}i:20;a:4:{s:4:"Date";s:6:"Aug 10=
";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[3193 8]";s:3:"Log";s=
:70:"Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]=
";}i:21;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process=
";s:14:"openvpn[31938]";s:3:"Log";s:39:"Local Options hash (VER=3DV4): \'41=
690919\'";}i:22;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:=
"Process";s:14:"openvpn[31938]";s:3:"Log";s:49:"Expected Remote Options has=
h (VER=3DV4): \'530fdded\'";}i:23;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s=
:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log"; s:48:"Socket Bu=
ffers: R=3D[41600->65536] S=3D[9216->65536]";}i:24;a:4:{s:4:"Date";s:6:"Aug=
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31 938]";s:3:"Log=
";s:25:"UDPv4 link local: [undef]";}}';
?>

When you execute bug.php, you will get an empty array printed out:

Array
(
)

But actually, $output should have contained the string above as element
0 of the array.

If you delete or add a character in the string, exec() runs
correctly and you get the intended result. So the issue is specific to
this special string. You can download echostr.php contents at this link:
http://comixwall.org/dmdocuments/echostr

The problem is not with the size of the string, because much longer
strings are fine.

Also this issue does *not* exists with passthru(), shell_exec()
functions and backtick operator. Furthermore, exec() return value, i.e.
the last line of shell command output seems fine too (it contains the
string correctly). So I believe the issue is internal to exec(),
effecting $output contents only.

As you can guess, this string is in fact serialized openvpn startup log
lines (I just escaped the single quotes for testing purposes, that's
all), it is not some manually crafted string. Therefore, the chances are
quite high that I will get more than one similar situation in the
future, specifically every time the openvpn logs are rotated, and I
start openvpn.

I have confirmed this issue on OpenBSD, Linux, and Windows. Here are the
versions:

OpenBSD:
PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar 1 2009
10:26:06)=20
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH

Linux:
PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
2009 21:43:13)=20
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies

Windows:
PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies

Since Windows version is without Suhosin patch, suhosin as culprit is
ruled out. (Also to test on Windows, I changed the exec shell command as
'php.exe echostr.php' of course.)

I would appreciate if somebody could also confirm my observations, so
that I can file a bug report (please use the link above to download
echostr.php contents to be sure we are testing the same string). Or
else, if you have an explanation, I'd like to hear about it.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: exec() confused by a specially crafted string

Confirmed, it also happens to me on Linux, PHP version:

PHP 5.2.4-2ubuntu5.7 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
2009 19:52:39)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

And adding a single character to the echoed string makes it work fine,
seems like a bug to me.

Regards,

Jonathan

On Mon, Oct 12, 2009 at 1:10 PM, Soner Tari wrote:
> When shell command returns a specially crafted string, I get an empty
> array as $output of exec(), instead of the string. I can very easily
> reproduce this issue as follows:
>
> Put the following lines in bug.php:
>
> > exec('php echostr.php', $output);
> print_r($output);
> echo "\n";
> ?>
>
> Then put the following in echostr.php (the string is just one line
> actually, new lines may be inserted by this mail agent, I provide a link
> below):
>
> > echo 'a:25:{i:0;a:4:{s:4:"Date";s:6:"Aug
> 7";s:4:"Time";s:8:"16:00:01";s:7:"Process";s:16:"newsyslog[2 3117]";s:3:"L=
og";s:19:"logfile turned over";}i:1;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time"=
;s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log"; s:76:"OpenVPN 2=
..1_rc18 x86_64-unknown-openbsd4.5 [SSL] [LZO1] built on Jun 26 2009";}i:2;a=
:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"o=
penvpn[226]";s:3:"Log";s:102:"NOTE: OpenVPN 2.1 requires \'--script-securit=
y 2\' or higher to call user-defined scripts or executables";}i:3;a:4:{s:4:=
"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[2=
26]";s:3:"Log";s:27:"LZO compression initialized";}i:4;a:4:{s:4:"Date";s:6:=
"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[22 6]";s:3:"L=
og";s:63:"Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]";=
}i:5;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s=
:12:"openvpn[226]";s:3:"Log";s:70:"Data Channel MTU parms [ L:1542 D:1450 E=
F:42 EB:135 ET:0 EL:0 AF:3/1 ]";}i:6;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time=
";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3:"Log" ;s:39:"Local Op=
tions hash (VER=3DV4): \'41690919\'";}i:7;a:4:{s:4:"Date";s:6:"Aug 10";s:4:=
"Time";s:8:"22:43:55";s:7:"Process";s:12:"openvpn[226]";s:3: "Log";s:49:"Exp=
ected Remote Options hash (VER=3DV4): \'530fdded\'";}i:8;a:4:{s:4:"Date";s:=
6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31 938]";s:=
3:"Log";s:48:"Socket Buffers: R=3D[41600->65536] S=3D[9216->65536]";}i:9;a:=
4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"op=
envpn[31938]";s:3:"Log";s:25:"UDPv4 link local: [undef]";}i:10;a:4:{s:4:"Da=
te";s:6:"Aug 10";s:4:"Time";s:8:"22:43:55";s:7:"Process";s:14:"openvpn[31 93=
8]";s:3:"Log";s:38:"UDPv4 link remote: 81.215.105.114:1194";}i:11;a:4:{s:4:=
"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[3=
1938]";s:3:"Log";s:98:"TLS Error: TLS key negotiation failed to occur withi=
n 60 seconds (check your network connectivity)";}i:12;a:4:{s:4:"Date";s:6:"=
Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31 938]";s:3:"=
Log";s:31:"TLS Error: TLS handshake failed";}i:13;a:4:{s:4:"Date";s:6:"Aug =
10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31 938]";s:3:"Log"=
;s:23:"TCP/UDP: Closing socket";}i:14;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Tim=
e";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31938]";s:3:"L og";s:52:"SIGUS=
R1[soft,tls-error] received, process restarting";}i:15;a:4:{s:4:"Date";s:6:=
"Aug 10";s:4:"Time";s:8:"22:44:55";s:7:"Process";s:14:"openvpn[31 938]";s:3:=
"Log";s:26:"Restart pause, 2 second(s)";}i:16;a:4:{s:4:"Date";s:6:"Aug 10";=
s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938] ";s:3:"Log";s:1=
02:"NOTE: OpenVPN 2.1 requires \'--script-security 2\' or higher to call us=
er-defined scripts or executables";}i:17;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"=
Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3 :"Log";s:24:"Re=
-using SSL/TLS context";}i:18;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"=
22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:27 :"LZO compressi=
on initialized";}i:19;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57=
";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:63:"Contro l Channel MTU p=
arms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]";}i:20;a:4:{s:4:"Date";s:6:"Aug =
10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31 938]";s:3:"Log"=
;s:70:"Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1=
]";}i:21;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:7:"Proce=
ss";s:14:"openvpn[31938]";s:3:"Log";s:39:"Local Options hash (VER=3DV4): \'=
41690919\'";}i:22;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time";s:8:"22:44:57";s:=
7:"Process";s:14:"openvpn[31938]";s:3:"Log";s:49:"Expected Remote Options h=
ash (VER=3DV4): \'530fdded\'";}i:23;a:4:{s:4:"Date";s:6:"Aug 10";s:4:"Time"=
;s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31938]";s:3:"Log ";s:48:"Socket =
Buffers: R=3D[41600->65536] S=3D[9216->65536]";}i:24;a:4:{s:4:"Date";s:6:"A=
ug 10";s:4:"Time";s:8:"22:44:57";s:7:"Process";s:14:"openvpn[31 938]";s:3:"L=
og";s:25:"UDPv4 link local: [undef]";}}';
> ?>
>
> When you execute bug.php, you will get an empty array printed out:
>
> Array
> (
> )
>
> But actually, $output should have contained the string above as element
> 0 of the array.
>
> If you delete or add a character in the string, exec() runs
> correctly and you get the intended result. So the issue is specific to
> this special string. You can download echostr.php contents at this link:
> http://comixwall.org/dmdocuments/echostr
>
> The problem is not with the size of the string, because much longer
> strings are fine.
>
> Also this issue does *not* exists with passthru(), shell_exec()
> functions and backtick operator. Furthermore, exec() return value, i.e.
> the last line of shell command output seems fine too (it contains the
> string correctly). So I believe the issue is internal to exec(),
> effecting $output contents only.
>
> As you can guess, this string is in fact serialized openvpn startup log
> lines (I just escaped the single quotes for testing purposes, that's
> all), it is not some manually crafted string. Therefore, the chances are
> quite high that I will get more than one similar situation in the
> future, specifically every time the openvpn logs are rotated, and I
> start openvpn.
>
> I have confirmed this issue on OpenBSD, Linux, and Windows. Here are the
> versions:
>
> OpenBSD:
> PHP 5.2.8 with Suhosin-Patch 0.9.6.3 (cli) (built: Mar =A01 2009
> 10:26:06)
> Copyright (c) 1997-2008 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
> =A0 =A0with Suhosin v0.9.27, Copyright (c) 2007, by SektionEins GmbH
>
> Linux:
> PHP 5.2.6-3ubuntu4.2 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
> 2009 21:43:13)
> Copyright (c) 1997-2008 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
>
> Windows:
> PHP 5.2.11 (cli) (built: Sep 16 2009 19:39:46)
> Copyright (c) 1997-2009 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2009 Zend Technologies
>
> Since Windows version is without Suhosin patch, suhosin as culprit is
> ruled out. (Also to test on Windows, I changed the exec shell command as
> 'php.exe echostr.php' of course.)
>
> I would appreciate if somebody could also confirm my observations, so
> that I can file a bug report (please use the link above to download
> echostr.php contents to be sure we are testing the same string). Or
> else, if you have an explanation, I'd like to hear about it.
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: exec() confused by a specially crafted string

On Mon, 2009-10-12 at 13:21 -0300, Jonathan Tapicer wrote:
> Confirmed, it also happens to me on Linux, PHP version:
>
> PHP 5.2.4-2ubuntu5.7 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
> 2009 19:52:39)
> Copyright (c) 1997-2007 The PHP Group
> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
>
> And adding a single character to the echoed string makes it work fine,
> seems like a bug to me.

Thanks, filed the bug report:
http://bugs.php.net/bug.php?id=49847


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: exec() confused by a specially crafted string

On Mon, Oct 12, 2009 at 2:10 PM, Soner Tari wrote:
> On Mon, 2009-10-12 at 13:21 -0300, Jonathan Tapicer wrote:
>> Confirmed, it also happens to me on Linux, PHP version:
>>
>> PHP 5.2.4-2ubuntu5.7 with Suhosin-Patch 0.9.6.2 (cli) (built: Aug 21
>> 2009 19:52:39)
>> Copyright (c) 1997-2007 The PHP Group
>> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
>>
>> And adding a single character to the echoed string makes it work fine,
>> seems like a bug to me.
>
> Thanks, filed the bug report:
> http://bugs.php.net/bug.php?id=49847
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Confirmed (again) here:

PHP Version => 5.3.0
Build Date => Jul 1 2009 17:55:55

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php