Skip to content

ext/standard: Reject null bytes in proc_open() $cwd#21871

Merged
TimWolla merged 1 commit intophp:masterfrom
LamentXU123:bugfix-4
May 2, 2026
Merged

ext/standard: Reject null bytes in proc_open() $cwd#21871
TimWolla merged 1 commit intophp:masterfrom
LamentXU123:bugfix-4

Conversation

@LamentXU123
Copy link
Copy Markdown
Contributor

@LamentXU123 LamentXU123 commented Apr 25, 2026
edited
Loading

In function proc_open, although the we check the parameter $commend to reject NUL bytes, we didn't actually check $cwd, so this would happen:

<?php
  $cwd = sys_get_temp_dir() . '/php-src-proc-open-nul-poc';
  @mkdir($cwd);

  $proc = proc_open(
      [PHP_BINARY, '-r', 'echo getcwd(), PHP_EOL;'],
      [1 => ['pipe', 'w']],
      $pipes,
      $cwd . "\0/ignored"
  );

  echo stream_get_contents($pipes[1]);
  proc_close($proc);

The output would be /php-src-proc-open-nul-poc, ignoring trailing \0/ignored

reproduce in: https://3v4l.org/o56Sq#v

@LamentXU123 LamentXU123 requested a review from bukka as a code owner April 25, 2026 07:39
@LamentXU123
Copy link
Copy Markdown
Contributor Author

LamentXU123 commented May 1, 2026

Ah, CI is happy now. Need someone with write access to merge :)

@TimWolla TimWolla merged commit 28f668d into php:master May 2, 2026
19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bukka bukka bukka approved these changes

@TimWolla TimWolla TimWolla approved these changes

Assignees

No one assigned

Labels

Extension: standard

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LamentXU123 @bukka @TimWolla