Download | Plain Text | No Line Numbers


  1. This patch is based on http://kyberdigi.cz/projects/execdir/ but instead trying
  2. to sanitize the exec command string inside PHP this job is handled by bash and
  3. a special restricted PHP-mode which strips off all path informations.
  4.  
  5. This patch depends on:
  6. - bash restricted php mode patch
  7. https://manuel.mausz.at/coding/patches/php/bash-4.2-restricted-php.patch
  8.  
  9. No warranty!
  10. diff -Naur a/ext/standard/exec.c b/ext/standard/exec.c
  11. --- a/ext/standard/exec.c 2022-09-14 11:42:49.000000000 +0200
  12. +++ b/ext/standard/exec.c 2022-09-26 13:46:28.272391880 +0200
  13. @@ -116,21 +116,30 @@
  14. FILE *fp;
  15. char *buf;
  16. int pclose_return;
  17. - char *b, *d=NULL;
  18. + char *cmd_p, *b, *d=NULL;
  19. php_stream *stream;
  20. size_t buflen, bufl = 0;
  21. #if PHP_SIGCHILD
  22. void (*sig_handler)() = NULL;
  23. #endif
  24.  
  25. + if (PG(exec_dir) && strlen(PG(exec_dir))) {
  26. + zend_string *cmd_esc = php_escape_shell_arg(cmd);
  27. + spprintf(&d, 0, "PATH=%s /bin/bash --php -rc %s", PG(exec_dir), ZSTR_VAL(cmd_esc));
  28. + zend_string_release(cmd_esc);
  29. + cmd_p = d;
  30. + } else {
  31. + cmd_p = cmd;
  32. + }
  33. +
  34. #if PHP_SIGCHILD
  35. sig_handler = signal (SIGCHLD, SIG_DFL);
  36. #endif
  37.  
  38. #ifdef PHP_WIN32
  39. - fp = VCWD_POPEN(cmd, "rb");
  40. + fp = VCWD_POPEN(cmd_p, "rb");
  41. #else
  42. - fp = VCWD_POPEN(cmd, "r");
  43. + fp = VCWD_POPEN(cmd_p, "r");
  44. #endif
  45. if (!fp) {
  46. php_error_docref(NULL, E_WARNING, "Unable to fork [%s]", cmd);
  47. @@ -513,7 +522,7 @@
  48. PHP_FUNCTION(shell_exec)
  49. {
  50. FILE *in;
  51. - char *command;
  52. + char *command, *command_p;
  53. size_t command_len;
  54. zend_string *ret;
  55. php_stream *stream;
  56. @@ -531,14 +540,24 @@
  57. RETURN_THROWS();
  58. }
  59.  
  60. + if (PG(exec_dir) && strlen(PG(exec_dir))) {
  61. + zend_string *cmd_esc = php_escape_shell_arg(command);
  62. + spprintf(&command_p, 0, "PATH=%s /bin/bash --php -rc %s", PG(exec_dir), ZSTR_VAL(cmd_esc));
  63. + zend_string_release(cmd_esc);
  64. + } else {
  65. + command_p = estrdup(command);
  66. + }
  67. +
  68. #ifdef PHP_WIN32
  69. - if ((in=VCWD_POPEN(command, "rt"))==NULL) {
  70. + if ((in=VCWD_POPEN(command_p, "rt"))==NULL) {
  71. #else
  72. - if ((in=VCWD_POPEN(command, "r"))==NULL) {
  73. + if ((in=VCWD_POPEN(command_p, "r"))==NULL) {
  74. #endif
  75. php_error_docref(NULL, E_WARNING, "Unable to execute '%s'", command);
  76. + efree(command_p);
  77. RETURN_FALSE;
  78. }
  79. + efree(command_p);
  80.  
  81. stream = php_stream_fopen_from_pipe(in, "rb");
  82. ret = php_stream_copy_to_mem(stream, PHP_STREAM_COPY_ALL, 0);
  83. diff -Naur a/ext/standard/file.c b/ext/standard/file.c
  84. --- a/ext/standard/file.c 2022-09-14 11:42:49.000000000 +0200
  85. +++ b/ext/standard/file.c 2022-09-26 13:46:28.273391872 +0200
  86. @@ -825,7 +825,16 @@
  87. RETURN_THROWS();
  88. }
  89.  
  90. - fp = VCWD_POPEN(command, posix_mode);
  91. + if (PG(exec_dir) && strlen(PG(exec_dir))) {
  92. + zend_string *cmd_esc = php_escape_shell_arg(command);
  93. + char *tmp;
  94. + spprintf(&tmp, 0, "PATH=%s /bin/bash --php -rc %s", PG(exec_dir), ZSTR_VAL(cmd_esc));
  95. + fp = VCWD_POPEN(tmp, posix_mode);
  96. + efree(tmp);
  97. + zend_string_release(cmd_esc);
  98. + } else {
  99. + fp = VCWD_POPEN(command, posix_mode);
  100. + }
  101. if (!fp) {
  102. php_error_docref2(NULL, command, posix_mode, E_WARNING, "%s", strerror(errno));
  103. efree(posix_mode);
  104. diff -Naur a/ext/standard/filestat.c b/ext/standard/filestat.c
  105. --- a/ext/standard/filestat.c 2022-09-14 11:42:49.000000000 +0200
  106. +++ b/ext/standard/filestat.c 2022-09-26 13:46:28.273391872 +0200
  107. @@ -744,6 +744,7 @@
  108. php_stream_statbuf ssb = {0};
  109. int flags = 0, rmask=S_IROTH, wmask=S_IWOTH, xmask=S_IXOTH; /* access rights defaults to other */
  110. const char *local = NULL;
  111. + char local_safe[MAXPATHLEN];
  112. php_stream_wrapper *wrapper = NULL;
  113.  
  114. if (IS_ACCESS_CHECK(type)) {
  115. @@ -755,7 +756,7 @@
  116. }
  117.  
  118. if ((wrapper = php_stream_locate_url_wrapper(ZSTR_VAL(filename), &local, 0)) == &php_plain_files_wrapper
  119. - && php_check_open_basedir(local)) {
  120. + && type != FS_IS_X && php_check_open_basedir(local)) {
  121. RETURN_FALSE;
  122. }
  123.  
  124. @@ -779,7 +780,22 @@
  125. #endif
  126. #ifdef X_OK
  127. case FS_IS_X:
  128. - RETURN_BOOL(VCWD_ACCESS(local, X_OK) == 0);
  129. + bool xok = (VCWD_ACCESS(local, X_OK) == 0);
  130. + if (!xok && PG(exec_dir) && strlen(PG(exec_dir))) {
  131. + if (strstr(local, "..")) {
  132. + RETURN_FALSE;
  133. + } else {
  134. + char *b = strrchr(local, PHP_DIR_SEPARATOR);
  135. + if (b) {
  136. + snprintf(local_safe, MAXPATHLEN, "%s%s", PG(exec_dir), b);
  137. + } else {
  138. + snprintf(local_safe, MAXPATHLEN, "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, local);
  139. + }
  140. + local = (char *)&local_safe;
  141. + }
  142. + xok = (VCWD_ACCESS(local, X_OK) == 0);
  143. + }
  144. + RETURN_BOOL(xok);
  145. break;
  146. #endif
  147. }
  148. diff -Naur a/ext/standard/proc_open.c b/ext/standard/proc_open.c
  149. --- a/ext/standard/proc_open.c 2022-09-14 11:42:49.000000000 +0200
  150. +++ b/ext/standard/proc_open.c 2022-09-26 13:46:28.274391865 +0200
  151. @@ -618,7 +618,17 @@
  152. zend_string *command = NULL;
  153. int i = 0;
  154.  
  155. - *argv = safe_emalloc(sizeof(char *), num_elems + 1, 0);
  156. + *argv = safe_emalloc(sizeof(char *), num_elems + 1 + 5, 0);
  157. +
  158. + if (PG(exec_dir) && strlen(PG(exec_dir))) {
  159. + command = zend_string_init("/bin/bash", sizeof("/bin/bash") - 1, 0);
  160. + (*argv)[i++] = estrdup("/bin/bash");
  161. + (*argv)[i++] = estrdup("--php");
  162. + (*argv)[i++] = estrdup("-rc");
  163. + (*argv)[i++] = estrdup("exec \"$@\"");
  164. + (*argv)[i++] = estrdup("bash");
  165. + (*argv)[i] = NULL;
  166. + }
  167.  
  168. ZEND_HASH_FOREACH_VAL(array, arg_zv) {
  169. zend_string *arg_str = get_valid_arg_string(arg_zv, i + 1);
  170. @@ -1081,6 +1091,15 @@
  171. }
  172. #endif
  173.  
  174. + zval envpath;
  175. + if (PG(exec_dir) && strlen(PG(exec_dir))) {
  176. + if (!environment || zend_hash_num_elements(Z_ARRVAL_P(environment)) == 0) {
  177. + array_init_size(&envpath, 1);
  178. + environment = &envpath;
  179. + }
  180. + add_assoc_string(environment, "PATH", PG(exec_dir));
  181. + }
  182. +
  183. if (environment) {
  184. env = _php_array_to_envp(environment);
  185. }
  186. @@ -1207,10 +1226,14 @@
  187. }
  188. execvp(ZSTR_VAL(command_str), argv);
  189. } else {
  190. - if (env.envarray) {
  191. - execle("/bin/sh", "sh", "-c", ZSTR_VAL(command_str), NULL, env.envarray);
  192. + if (PG(exec_dir) && strlen(PG(exec_dir))) {
  193. + execle("/bin/bash", "bash", "--php", "-rc", ZSTR_VAL(command_str), NULL, env.envarray);
  194. } else {
  195. - execl("/bin/sh", "sh", "-c", ZSTR_VAL(command_str), NULL);
  196. + if (env.envarray) {
  197. + execle("/bin/sh", "sh", "-c", ZSTR_VAL(command_str), NULL, env.envarray);
  198. + } else {
  199. + execl("/bin/sh", "sh", "-c", ZSTR_VAL(command_str), NULL);
  200. + }
  201. }
  202. }
  203.  
  204. diff -Naur a/main/main.c b/main/main.c
  205. --- a/main/main.c 2022-09-26 13:43:12.767867280 +0200
  206. +++ b/main/main.c 2022-09-26 13:46:28.275391857 +0200
  207. @@ -765,6 +765,7 @@
  208. STD_PHP_INI_ENTRY("syslog.facility", "LOG_USER", PHP_INI_SYSTEM, OnSetFacility, syslog_facility, php_core_globals, core_globals)
  209. STD_PHP_INI_ENTRY("syslog.ident", "php", PHP_INI_SYSTEM, OnUpdateString, syslog_ident, php_core_globals, core_globals)
  210. STD_PHP_INI_ENTRY("syslog.filter", "no-ctrl", PHP_INI_ALL, OnSetLogFilter, syslog_filter, php_core_globals, core_globals)
  211. + STD_PHP_INI_ENTRY("exec_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, exec_dir, php_core_globals, core_globals)
  212. PHP_INI_END()
  213. /* }}} */
  214.  
  215. diff -Naur a/main/php_globals.h b/main/php_globals.h
  216. --- a/main/php_globals.h 2022-09-14 11:42:49.000000000 +0200
  217. +++ b/main/php_globals.h 2022-09-26 13:46:28.275391857 +0200
  218. @@ -166,6 +166,8 @@
  219. bool have_called_openlog;
  220. zend_long syslog_filter;
  221. zend_long error_log_mode;
  222. +
  223. + char *exec_dir;
  224. };
  225.  
  226.  
  227. diff -Naur a/php.ini-development b/php.ini-development
  228. --- a/php.ini-development 2022-09-14 11:42:49.000000000 +0200
  229. +++ b/php.ini-development 2022-09-26 13:46:28.275391857 +0200
  230. @@ -317,6 +317,10 @@
  231. ; https://php.net/open-basedir
  232. ;open_basedir =
  233.  
  234. +; Only executables located in the exec_dir will be allowed to be executed
  235. +; via the exec family of functions.
  236. +exec_dir =
  237. +
  238. ; This directive allows you to disable certain functions.
  239. ; It receives a comma-delimited list of function names.
  240. ; https://php.net/disable-functions
  241. diff -Naur a/php.ini-production b/php.ini-production
  242. --- a/php.ini-production 2022-09-14 11:42:49.000000000 +0200
  243. +++ b/php.ini-production 2022-09-26 13:46:28.276391850 +0200
  244. @@ -317,6 +317,10 @@
  245. ; https://php.net/open-basedir
  246. ;open_basedir =
  247.  
  248. +; Only executables located in the exec_dir will be allowed to be executed
  249. +; via the exec family of functions.
  250. +exec_dir =
  251. +
  252. ; This directive allows you to disable certain functions.
  253. ; It receives a comma-delimited list of function names.
  254. ; https://php.net/disable-functions
  255.