Red Hat Bugzilla – Bug 1305494
php: exec function ignore length and look for NULL termination
Last modified: 2016-07-27 16:28:37 EDT
It was reported that functions defined in ext/standard/exec.c which work with strings (escapeshellcmd, eschapeshellarg, shell_exec), all ignore the length of the PHP string and work with NULL termination instead. If the string is not NULL terminated (some function uses RETURN_STRINGL(buf, len, 0); where buf is not NULL terminated), running these functions will cause buffer overflow.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1305565]
Upstream does not believe this is real security problem. PHP does not normally create strings which are not NULL terminated, making it unlikely to have untrusted, not NULL terminated inputs passed to the affected escaping functions. Therefore, there's currently no plan to backport this fix to PHP versions in Red Hat products.