Fix GHSA-9fcc-425m-g385: bypass CVE-2024-1874

Author: Jan-E

ext/standard/proc_open.c

@@ -474,48 +474,39 @@ static void append_win_escaped_arg(smart_string *str, char *arg, BOOL is_cmd_arg
 	smart_string_appendc(str, '"');
 }
 
-static BOOL stricmp_end(const char* suffix, const char* str) {
-    size_t suffix_len = strlen(suffix);
-    size_t str_len = strlen(str);
+static BOOL is_executed_by_cmd(const char *prog_name, size_t prog_name_length)
+{
+    size_t out_len;
+    WCHAR long_name[MAX_PATH];
+    WCHAR full_name[MAX_PATH];
+    LPWSTR file_part = NULL;
 
-    if (suffix_len > str_len) {
-        return -1; /* Suffix is longer than string, cannot match. */
-    }
+    wchar_t *prog_name_wide = php_win32_cp_conv_any_to_w(prog_name, prog_name_length, &out_len);
 
-    /* Compare the end of the string with the suffix, ignoring case. */
-    return _stricmp(str + (str_len - suffix_len), suffix);
-}
+    if (GetLongPathNameW(prog_name_wide, long_name, MAX_PATH) == 0) {
+        /* This can fail for example with ERROR_FILE_NOT_FOUND (short path resolution only works for existing files)
+         * in which case we'll pass the path verbatim to the FullPath transformation. */
+        lstrcpynW(long_name, prog_name_wide, MAX_PATH);
+    }
 
-static BOOL is_executed_by_cmd(const char *prog_name)
-{
-	/* If program name is cmd.exe, then return true. */
-	if (_stricmp("cmd.exe", prog_name) == 0 || _stricmp("cmd", prog_name) == 0
-			|| stricmp_end("\\cmd.exe", prog_name) == 0 || stricmp_end("\\cmd", prog_name) == 0) {
-		return 1;
-	}
+    free(prog_name_wide);
+    prog_name_wide = NULL;
 
-    /* Find the last occurrence of the directory separator (backslash or forward slash). */
-    char *last_separator = strrchr(prog_name, '\\');
-    char *last_separator_fwd = strrchr(prog_name, '/');
-    if (last_separator_fwd && (!last_separator || last_separator < last_separator_fwd)) {
-        last_separator = last_separator_fwd;
+    if (GetFullPathNameW(long_name, MAX_PATH, full_name, &file_part) == 0 || file_part == NULL) {
+        return 0;
     }
 
-    /* Find the last dot in the filename after the last directory separator. */
-    char *extension = NULL;
-    if (last_separator != NULL) {
-        extension = strrchr(last_separator, '.');
+    BOOL uses_cmd = 0;
+    if (_wcsicmp(file_part, L"cmd.exe") == 0 || _wcsicmp(file_part, L"cmd") == 0) {
+        uses_cmd = 1;
     } else {
-        extension = strrchr(prog_name, '.');
-    }
-
-    if (extension == NULL || extension == prog_name) {
-        /* No file extension found, it is not batch file. */
-        return 0;
+        const WCHAR *extension_dot = wcsrchr(file_part, L'.');
+        if (extension_dot && (_wcsicmp(extension_dot, L".bat") == 0 || _wcsicmp(extension_dot, L".cmd") == 0)) {
+            uses_cmd = 1;
+        }
     }
 
-    /* Check if the file extension is ".bat" or ".cmd" which is always executed by cmd.exe. */
-    return (_stricmp(extension, ".bat") == 0 || _stricmp(extension, ".cmd") == 0) ? 1 : 0;
+    return uses_cmd;
 }
 
 static char *create_win_command_from_args(HashTable *args) {
@@ -533,7 +524,7 @@ static char *create_win_command_from_args(HashTable *args) {
 		}
 
 		if (is_prog_name) {
-			is_cmd_execution = is_executed_by_cmd(ZSTR_VAL(arg_str));
+			is_cmd_execution = is_executed_by_cmd(ZSTR_VAL(arg_str), ZSTR_LEN(arg_str));
 		} else {
 			smart_string_appendc(&str, ' ');
 		}

ext/standard/tests/general_functions/ghsa-9fcc-425m-g385_001.phpt

@@ -0,0 +1,56 @@
+--TEST--
+GHSA-9fcc-425m-g385 - bypass CVE-2024-1874 - batch file variation
+--SKIPIF--
+<?php
+if( substr(PHP_OS, 0, 3) != "WIN" )
+  die('skip Run only on Windows');
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+?>
+--FILE--
+<?php
+
+$batch_file_content = <<<EOT
+@echo off
+powershell -Command "Write-Output '%0%'"
+powershell -Command "Write-Output '%1%'"
+EOT;
+$batch_file_path = __DIR__ . '/ghsa-9fcc-425m-g385_001.bat';
+
+file_put_contents($batch_file_path, $batch_file_content);
+
+$descriptorspec = [STDIN, STDOUT, STDOUT];
+
+$proc = proc_open([$batch_file_path . ".", "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open([$batch_file_path . "  ", "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open([$batch_file_path . ".  ", "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open([$batch_file_path . ". ...  ", "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open([$batch_file_path . ". ... . ", "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open([$batch_file_path . ". ... . .", "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+proc_open([$batch_file_path . ". .\\.. . .", "\"&notepad.exe"], $descriptorspec, $pipes);
+
+?>
+--EXPECTF--
+'"%sghsa-9fcc-425m-g385_001.bat."' is not recognized as an internal or external command,
+operable program or batch file.
+%sghsa-9fcc-425m-g385_001.bat 
+"&notepad.exe
+%sghsa-9fcc-425m-g385_001.bat. 
+"&notepad.exe
+%sghsa-9fcc-425m-g385_001.bat. ... 
+"&notepad.exe
+%sghsa-9fcc-425m-g385_001.bat. ... . 
+"&notepad.exe
+'"%sghsa-9fcc-425m-g385_001.bat. ... . ."' is not recognized as an internal or external command,
+operable program or batch file.
+
+Warning: proc_open(): CreateProcess failed, error code: 2 in %s on line %d
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/ghsa-9fcc-425m-g385_001.bat');
+?>

ext/standard/tests/general_functions/ghsa-9fcc-425m-g385_002.phpt

@@ -0,0 +1,66 @@
+--TEST--
+GHSA-9fcc-425m-g385 - bypass CVE-2024-1874 - cmd.exe variation
+--SKIPIF--
+<?php
+if( substr(PHP_OS, 0, 3) != "WIN" )
+  die('skip Run only on Windows');
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+?>
+--FILE--
+<?php
+
+$batch_file_content = <<<EOT
+@echo off
+powershell -Command "Write-Output '%0%'"
+powershell -Command "Write-Output '%1%'"
+EOT;
+$batch_file_path = __DIR__ . '/ghsa-9fcc-425m-g385_002.bat';
+
+file_put_contents($batch_file_path, $batch_file_content);
+
+$descriptorspec = [STDIN, STDOUT, STDOUT];
+
+$proc = proc_open(["cmd.exe", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open(["cmd.exe   ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open(["cmd.exe.   ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open(["cmd.exe. ...  ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open(["\\cmd.exe. ...  ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+
+$proc = proc_open(["cmd", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open(["cmd   ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+proc_close($proc);
+$proc = proc_open(["cmd.   ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+$proc = proc_open(["cmd. ...  ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+$proc = proc_open(["\\cmd. ...  ", "/c", $batch_file_path, "\"&notepad.exe"], $descriptorspec, $pipes);
+
+?>
+--EXPECTF--
+%sghsa-9fcc-425m-g385_002.bat
+"&notepad.exe
+%sghsa-9fcc-425m-g385_002.bat
+"&notepad.exe
+%sghsa-9fcc-425m-g385_002.bat
+"&notepad.exe
+%sghsa-9fcc-425m-g385_002.bat
+"&notepad.exe
+
+Warning: proc_open(): CreateProcess failed, error code: 2 in %s on line %d
+%sghsa-9fcc-425m-g385_002.bat
+"&notepad.exe
+%sghsa-9fcc-425m-g385_002.bat
+"&notepad.exe
+
+Warning: proc_open(): CreateProcess failed, error code: 2 in %s on line %d
+
+Warning: proc_open(): CreateProcess failed, error code: 2 in %s on line %d
+
+Warning: proc_open(): CreateProcess failed, error code: 2 in %s on line %d
+--CLEAN--
+<?php
+@unlink(__DIR__ . '/ghsa-9fcc-425m-g385_002.bat');
+?>