Download | Plain Text | No Line Numbers 

  1. This patch is based on http://kyberdigi.cz/projects/execdir/ but instead trying
  2. to sanitize the exec command string inside PHP this job is handled by bash and
  3. a special restricted PHP-mode which strips off all path informations.
  4.  
  5. This patch depends on:
  6. - bash restricted php mode patch
  7.   https://manuel.mausz.at/coding/patches/php/bash-4.2-restricted-php.patch
  8.  
  9. No warranty!
  10. --- a/ext/standard/exec.c	2025-07-01 18:29:21.000000000 +0200
  11. +++ b/ext/standard/exec.c	2025-11-14 21:10:46.216811849 +0100
  12. @@ -116,21 +116,30 @@
  13.  	FILE *fp;
  14.  	char *buf;
  15.  	int pclose_return;
  16. -	char *b, *d=NULL;
  17. +	char *cmd_p, *b, *d=NULL;
  18.  	php_stream *stream;
  19.  	size_t buflen, bufl = 0;
  20.  #if PHP_SIGCHILD
  21.  	void (*sig_handler)() = NULL;
  22.  #endif
  23.  
  24. +	if (PG(exec_dir) && strlen(PG(exec_dir))) {
  25. +		zend_string *cmd_esc = php_escape_shell_arg(cmd);
  26. +		spprintf(&d, 0, "PATH=%s /bin/bash --php -rc %s", PG(exec_dir), ZSTR_VAL(cmd_esc));
  27. +		zend_string_release(cmd_esc);
  28. +		cmd_p = d;
  29. +	} else {
  30. +		cmd_p = cmd;
  31. +	}
  32. +
  33.  #if PHP_SIGCHILD
  34.  	sig_handler = signal (SIGCHLD, SIG_DFL);
  35.  #endif
  36.  
  37.  #ifdef PHP_WIN32
  38. -	fp = VCWD_POPEN(cmd, "rb");
  39. +	fp = VCWD_POPEN(cmd_p, "rb");
  40.  #else
  41. -	fp = VCWD_POPEN(cmd, "r");
  42. +	fp = VCWD_POPEN(cmd_p, "r");
  43.  #endif
  44.  	if (!fp) {
  45.  		php_error_docref(NULL, E_WARNING, "Unable to fork [%s]", cmd);
  46. @@ -513,7 +522,7 @@
  47.  PHP_FUNCTION(shell_exec)
  48.  {
  49.  	FILE *in;
  50. -	char *command;
  51. +	char *command, *command_p;
  52.  	size_t command_len;
  53.  	zend_string *ret;
  54.  	php_stream *stream;
  55. @@ -531,14 +540,24 @@
  56.  		RETURN_THROWS();
  57.  	}
  58.  
  59. +	if (PG(exec_dir) && strlen(PG(exec_dir))) {
  60. +		zend_string *cmd_esc = php_escape_shell_arg(command);
  61. +		spprintf(&command_p, 0, "PATH=%s /bin/bash --php -rc %s", PG(exec_dir), ZSTR_VAL(cmd_esc));
  62. +		zend_string_release(cmd_esc);
  63. +	} else {
  64. +		command_p = estrdup(command);
  65. +	}
  66. +
  67.  #ifdef PHP_WIN32
  68. -	if ((in=VCWD_POPEN(command, "rt"))==NULL) {
  69. +	if ((in=VCWD_POPEN(command_p, "rt"))==NULL) {
  70.  #else
  71. -	if ((in=VCWD_POPEN(command, "r"))==NULL) {
  72. +	if ((in=VCWD_POPEN(command_p, "r"))==NULL) {
  73.  #endif
  74.  		php_error_docref(NULL, E_WARNING, "Unable to execute '%s'", command);
  75. +		efree(command_p);
  76.  		RETURN_FALSE;
  77.  	}
  78. +	efree(command_p);
  79.  
  80.  	stream = php_stream_fopen_from_pipe(in, "rb");
  81.  	ret = php_stream_copy_to_mem(stream, PHP_STREAM_COPY_ALL, 0);
  82. --- a/ext/standard/file.c	2025-07-01 18:29:21.000000000 +0200
  83. +++ b/ext/standard/file.c	2025-11-14 21:10:46.217811842 +0100
  84. @@ -825,7 +825,16 @@
  85.  		RETURN_THROWS();
  86.  	}
  87.  
  88. -	fp = VCWD_POPEN(command, posix_mode);
  89. +	if (PG(exec_dir) && strlen(PG(exec_dir))) {
  90. +		zend_string *cmd_esc = php_escape_shell_arg(command);
  91. +		char *tmp;
  92. +		spprintf(&tmp, 0, "PATH=%s /bin/bash --php -rc %s", PG(exec_dir), ZSTR_VAL(cmd_esc));
  93. +		fp = VCWD_POPEN(tmp, posix_mode);
  94. +		efree(tmp);
  95. +		zend_string_release(cmd_esc);
  96. +	} else {
  97. +		fp = VCWD_POPEN(command, posix_mode);
  98. +	}
  99.  	if (!fp) {
  100.  		php_error_docref2(NULL, command, posix_mode, E_WARNING, "%s", strerror(errno));
  101.  		efree(posix_mode);
  102. --- a/ext/standard/filestat.c	2025-07-01 18:29:21.000000000 +0200
  103. +++ b/ext/standard/filestat.c	2025-11-14 21:10:46.217811842 +0100
  104. @@ -768,6 +768,7 @@
  105.  	php_stream_statbuf ssb = {0};
  106.  	int flags = 0, rmask=S_IROTH, wmask=S_IWOTH, xmask=S_IXOTH; /* access rights defaults to other */
  107.  	const char *local = NULL;
  108. +	char local_safe[MAXPATHLEN];
  109.  	php_stream_wrapper *wrapper = NULL;
  110.  
  111.  	if (IS_ACCESS_CHECK(type)) {
  112. @@ -779,7 +780,7 @@
  113.  		}
  114.  
  115.  		if ((wrapper = php_stream_locate_url_wrapper(ZSTR_VAL(filename), &local, 0)) == &php_plain_files_wrapper
  116. -		 && php_check_open_basedir(local)) {
  117. +		 && type != FS_IS_X && php_check_open_basedir(local)) {
  118.  			RETURN_FALSE;
  119.  		}
  120.  
  121. @@ -803,7 +804,22 @@
  122.  #endif
  123.  #ifdef X_OK
  124.  				case FS_IS_X:
  125. -					RETURN_BOOL(VCWD_ACCESS(local, X_OK) == 0);
  126. +					bool xok = (VCWD_ACCESS(local, X_OK) == 0);
  127. +					if (!xok && PG(exec_dir) && strlen(PG(exec_dir))) {
  128. +						if (strstr(local, "..")) {
  129. +							RETURN_FALSE;
  130. +						} else {
  131. +							char *b = strrchr(local, PHP_DIR_SEPARATOR);
  132. +							if (b) {
  133. +								snprintf(local_safe, MAXPATHLEN, "%s%s", PG(exec_dir), b);
  134. +							} else {
  135. +								snprintf(local_safe, MAXPATHLEN, "%s%c%s", PG(exec_dir), PHP_DIR_SEPARATOR, local);
  136. +							}
  137. +							local = (char *)&local_safe;
  138. +						}
  139. +						xok = (VCWD_ACCESS(local, X_OK) == 0);
  140. +					}
  141. +					RETURN_BOOL(xok);
  142.  					break;
  143.  #endif
  144.  			}
  145. --- a/ext/standard/proc_open.c	2025-07-01 18:29:21.000000000 +0200
  146. +++ b/ext/standard/proc_open.c	2025-11-14 21:11:06.823670619 +0100
  147. @@ -685,7 +685,17 @@
  148.  	zend_string *command = NULL;
  149.  	int i = 0;
  150.  
  151. -	*argv = safe_emalloc(sizeof(char *), num_elems + 1, 0);
  152. +	*argv = safe_emalloc(sizeof(char *), num_elems + 1 + 5, 0);
  153. +
  154. +	if (PG(exec_dir) && strlen(PG(exec_dir))) {
  155. +		command = zend_string_init("/bin/bash", sizeof("/bin/bash") - 1, 0);
  156. +		(*argv)[i++] = estrdup("/bin/bash");
  157. +		(*argv)[i++] = estrdup("--php");
  158. +		(*argv)[i++] = estrdup("-rc");
  159. +		(*argv)[i++] = estrdup("exec \"$@\"");
  160. +		(*argv)[i++] = estrdup("bash");
  161. +		(*argv)[i] = NULL;
  162. +	}
  163.  
  164.  	ZEND_HASH_FOREACH_VAL(array, arg_zv) {
  165.  		zend_string *arg_str = get_valid_arg_string(arg_zv, i + 1);
  166. @@ -1148,8 +1158,34 @@
  167.  	}
  168.  #endif
  169.  
  170. +	zval envpath;
  171. +	ZVAL_UNDEF(&envpath);
  172. +	if (PG(exec_dir) && strlen(PG(exec_dir))) {
  173. +		zend_string *key;
  174. +		zend_ulong idx;
  175. +		zval *val;
  176. +		uint32_t count = environment ? zend_hash_num_elements(Z_ARRVAL_P(environment)) : 0;
  177. +		array_init_size(&envpath, count + 1);
  178. +		if (count) {
  179. +			ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL_P(environment), idx, key, val) {
  180. +				if (key) {
  181. +					zend_hash_add_new(Z_ARRVAL(envpath), key, val);
  182. +				} else {
  183. +					zend_hash_index_add_new(Z_ARRVAL(envpath), idx, val);
  184. +				}
  185. +				zval_add_ref(val);
  186. +			} ZEND_HASH_FOREACH_END();
  187. +		}
  188. +		add_assoc_string(&envpath, "PATH", PG(exec_dir));
  189. +		environment = &envpath;
  190. +	}
  191. +
  192.  	if (environment) {
  193.  		env = _php_array_to_envp(environment);
  194. +		if (!Z_ISUNDEF(envpath)) {
  195. +			zval_ptr_dtor(&envpath);
  196. +			environment = NULL;
  197. +		}
  198.  	}
  199.  
  200.  	descriptors = alloc_descriptor_array(descriptorspec);
  201. @@ -1275,10 +1311,14 @@
  202.  			}
  203.  			execvp(ZSTR_VAL(command_str), argv);
  204.  		} else {
  205. -			if (env.envarray) {
  206. -				execle("/bin/sh", "sh", "-c", ZSTR_VAL(command_str), NULL, env.envarray);
  207. +			if (PG(exec_dir) && strlen(PG(exec_dir))) {
  208. +				execle("/bin/bash", "bash", "--php", "-rc", ZSTR_VAL(command_str), NULL, env.envarray);
  209.  			} else {
  210. -				execl("/bin/sh", "sh", "-c", ZSTR_VAL(command_str), NULL);
  211. +				if (env.envarray) {
  212. +					execle("/bin/sh", "sh", "-c", ZSTR_VAL(command_str), NULL, env.envarray);
  213. +				} else {
  214. +					execl("/bin/sh", "sh", "-c", ZSTR_VAL(command_str), NULL);
  215. +				}
  216.  			}
  217.  		}
  218.  
  219. --- a/main/main.c	2025-11-14 21:10:21.162983555 +0100
  220. +++ b/main/main.c	2025-11-14 21:10:46.218811835 +0100
  221. @@ -800,6 +800,7 @@
  222.  	STD_PHP_INI_ENTRY("syslog.facility",		"LOG_USER",		PHP_INI_SYSTEM,		OnSetFacility,		syslog_facility,	php_core_globals,		core_globals)
  223.  	STD_PHP_INI_ENTRY("syslog.ident",		"php",			PHP_INI_SYSTEM,		OnUpdateString,		syslog_ident,		php_core_globals,		core_globals)
  224.  	STD_PHP_INI_ENTRY("syslog.filter",		"no-ctrl",		PHP_INI_ALL,		OnSetLogFilter,		syslog_filter,		php_core_globals, 		core_globals)
  225. +	STD_PHP_INI_ENTRY("exec_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateString,		exec_dir,		php_core_globals,		core_globals)
  226.  PHP_INI_END()
  227.  /* }}} */
  228.  
  229. --- a/main/php_globals.h	2025-11-14 21:10:21.045984357 +0100
  230. +++ b/main/php_globals.h	2025-11-14 21:10:46.219811828 +0100
  231. @@ -168,6 +168,8 @@
  232.  	bool have_called_openlog;
  233.  	zend_long syslog_filter;
  234.  	zend_long error_log_mode;
  235. +
  236. +	char *exec_dir;
  237.  };
  238.  
  239.  
  240. --- a/php.ini-development	2025-11-14 21:10:21.045984357 +0100
  241. +++ b/php.ini-development	2025-11-14 21:10:46.219811828 +0100
  242. @@ -317,6 +317,10 @@
  243.  ; https://php.net/open-basedir
  244.  ;open_basedir =
  245.  
  246. +; Only executables located in the exec_dir will be allowed to be executed
  247. +; via the exec family of functions.
  248. +exec_dir =
  249. +
  250.  ; This directive allows you to disable certain functions.
  251.  ; It receives a comma-delimited list of function names.
  252.  ; https://php.net/disable-functions
  253. --- a/php.ini-production	2025-11-14 21:10:21.046984350 +0100
  254. +++ b/php.ini-production	2025-11-14 21:10:46.219811828 +0100
  255. @@ -317,6 +317,10 @@
  256.  ; https://php.net/open-basedir
  257.  ;open_basedir =
  258.  
  259. +; Only executables located in the exec_dir will be allowed to be executed
  260. +; via the exec family of functions.
  261. +exec_dir =
  262. +
  263.  ; This directive allows you to disable certain functions.
  264.  ; It receives a comma-delimited list of function names.
  265.  ; https://php.net/disable-functions
  266.