Please stop using CMD.EXE on the exec() function

Taomyn

Joined: 2003-11-11
Posts: 135

Posted: Mon, 2005-03-14 16:07

The use of CMD.EXE in the calls to exec() under Windows isn't needed and in fact causes all sorts of problems - I've argued the case quite successfully for G1 (as it's been removed), so why is it still in G2?

I couldn't get G2 to accept that Imagemagick was installed correctly on my system until I discovered this, and once removed everything worked. The code snippet I changed in WinNtPlatform.class now looks like:

	/*
	 * Ok, this is screwy, but for some reason these
	 * don't work:
	 *
	 *    cmd /c "c:\path with\spaces\binary" "arg"
	 *    cmd /c " c:\path\\ with\spaces\binary arg "
	 *    cmd /c " 'c:\path\ with\spaces\binary' 'arg' "
	 *
	 * But this does:
	 *
	 *    cmd /c " "c:\path with\spaces\binary" "arg" "
	 *
	 * Turns out that this is a documented feature of cmd.exe.
	 * See "cmd.exe /help" for more details
	 *
	 */
	// ***** $command = 'cmd /c "' . $command . ' 2> "' . $debugFile . '" "';
	$command = '"' . $command . '"';

	if ($gallery->getDebug()) {
	    $gallery->debug("Executing: $command");
	}
	$results = array();
	exec($command, $results, $status);

	// *****
	if ($gallery->getDebug()) {
	    $gallery->debug("Results: " . print_r($results,true));
	}

	list ($ret, $expected) =
	    GalleryCoreApi::getPluginParameter('module', 'core', 'exec.expectedStatus');
	if ($ret->isError()) {
	    if ($gallery->getDebug()) {
		$gallery->debug('Unable to look up core.exec.expectedStatus param');
	    }
	    $expected = 0;
	}

My changes marked with // *****

----

Gallery URL (optional): http://gallery2.star-one.co.uk
Gallery version: G2b1
Webserver (with version): IIS 6
Datatabase (with version): MySQL v4.1.10a
PHP version (eg 4.2.1): 5.0.3
phpinfo URL (optional):
Graphics Toolkit(s): Imagemagick v6.2.0
Operating system: Windows 2003 Server
Web browser/version: Firefox v1.0.1 & IE 6
G1 version (for migration bugs): v1.5 RC2

mindless

Joined: 2004-01-04
Posts: 8601

Posted: Mon, 2005-03-14 16:22

for reference:
http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=13346

bharat

Joined: 2002-05-21
Posts: 7994

Posted: Tue, 2005-03-15 01:32

It's still in G2 because G2 forked off before G1.4.3

I believe that I did it this way initially for compatibility with older versions of Windows. Now I'm afraid to touch it! But you're right, we should revisit this. Would you start by filing this as a bug on sf.net and referencing this thread so that it doesn't get forgotten?

Also, I think that we should make up some kind of short PHP test script that exercises exec on a variety of command/argument sets with special characters in them (spaces, double and single quotes, etc) which we can then test out on a wide range of Windows to figure out whether this is going to cause us problems or not.

I can say that the current code does not cause me any problems on WinXP (possibly because I don't run Apache as a service, though).

Taomyn

Joined: 2003-11-11
Posts: 135

Posted: Tue, 2005-03-15 09:31

I've reported this via SF as requested.

If you'd like a hand testing the exercise script please feel free to send me a copy and I'll see how it behaves on my configuration.

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Thu, 2005-05-26 22:15

Taomyn, I tried applying your fix to Beta 3: Bingo, without success. Would you mind trying this fix on that version as well? And, do you have any other pointers for IIS6/PHP + G2 installs?

ChrisJohnson00TA

Joined: 2004-03-15
Posts: 167

Posted: Fri, 2005-05-27 00:57

Hey h0bbel: If you get it working, see if dcraw works ;)

Taomyn: I tried as well, and couldn't make it work... any chance you can email me that specific file? I'd like to see if it fixes a specific problem I've been having with a module on IIS6.

buut

Joined: 2003-06-18
Posts: 196

Posted: Fri, 2005-05-27 01:10

h0bbel,

Don't know if this is helpful, but it looks if the code below is working for me on win2k/iis5.
Clearly this doesn't work for any path/filename with spaces. And can have a lot of other drawbacks, which I don't see. (It my first line of php code ever... :P )
I'll hope this wil help you in any way

    * Turns out that this is a documented feature of cmd.exe.
	 * See "cmd.exe /help" for more details
	 *
	 */
/* $command = 'cmd /c "' . $command . ' 2> "' . $debugFile . '" "'; */

    $command = str_replace('"',"  ", $command);
    $command = ($command . ' > ' . $debugFile);

buut

Joined: 2003-06-18
Posts: 196

Posted: Fri, 2005-05-27 01:57

h0bbel,

This also seems to work, and may also work with spaces in path/filename.

// $command = 'cmd /c "' . $command . ' 2> "' . $debugFile . '" "'; 
    $command = $command . ' 2> "' . $debugFile . '"';
    $command = substr($command, 2, strlen($command)-1) ;
    $prg = substr($command, 0, strpos($command, '"'));
    $argu = substr($command, strpos($command, '"') + 1, strlen($command) - strpos($command, '"') - 1);
    $command = $prg . $argu;

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Fri, 2005-05-27 07:00

buut, interesting. I'll have a look at that tonight.

Taomyn

Joined: 2003-11-11
Posts: 135

Posted: Fri, 2005-05-27 07:45

I'm surprised to see this rear its ugly head again.

May I make one suggestion?

Rather than try to fix the "space" problem with code that looks complex and will probably go wrong at some point in the future, would it not be simpler for the function to take the "command" and the "arguments" as separate parameters? That way you simply enclose the command in quotes then join the two together when executing them.

Just a thought as I'd hate to see this get broken again.

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Fri, 2005-05-27 07:54

Taomyn, sure, makes sense. But first try to get it working. h0bbel is writing IIS6/G2 docs at the moment and the cmd calls didn't work for him. So the first thing is to get it working, then we can refactor the code, if there's a need to.

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Fri, 2005-05-27 08:05

Taomyn, as valiant pointed out, we are looking at this rigth now. Since I couldn't get it to run anything via exec calls on w2k3 and IIS6, I need some help in figuring out why. Any tips?

Taomyn

Joined: 2003-11-11
Posts: 135

Posted: Fri, 2005-05-27 08:26

Have you tried using Filemon from Sysinternals to monitor file activity? It will capture file accesses (filtered if need be) so you can see what the processes are trying to do. It's how I sorted this out before.

Also make sure to give the following security:

CMD.EXE - IUSR_computername & NETWORK SERVICE Read + Execute
PHP temp - IUSR_computername & NETWORK SERVICE Modify

Basically the two acounts, IUSR_computername & NETWORK SERVICE, are used various parts of IIS6 to access the rest of the server.

Oh, and unlike a few other recommendations I've seen, don't make a copy of CMD.EXE just for this - there's no need and any service packs will not update the executable you copy.

I can offer direct help on the server but that would require me to have full access via TS to the server to get to the bottom of why its not working :-?

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Fri, 2005-05-27 08:38

sidenote: make sure to use double-quotes and not single-quotes when using error redirection, see first user comment of http://php.net/system

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Fri, 2005-05-27 09:07

Taomyn, i've used filemon, yes. I'll have a new stab at this during the weekend, and if i'm unable to sort it out, I'll be happy to provide you with TS access. My W2K3 box is running inside vmware anyway, and it's only used for this. Whatever you do, i can always revert to a snapshot.

buut

Joined: 2003-06-18
Posts: 196

Posted: Fri, 2005-05-27 12:28

Both of the solutions are quick tested on a win2k/iis5 server, which off course is much less strict is permissions. If it is helpful I can provide access to this machine. It may help you guys in determine if it is a coding problem or if it is a iis6 issue.

h0bbel

Joined: 2002-07-28
Posts: 13451

Posted: Fri, 2005-05-27 15:31

buut, i'll post as soon as i've looked at it this weekend. I do suspect that there is something IIS6 specific though, but that might very well be my own fault.

Civok88

Joined: 2006-10-12
Posts: 3

Posted: Tue, 2006-10-17 15:11

...and what was the result?

Just curious as I'm looking for a solution to allowing the IUSR_ account on an Win2003Svr/IIS6 execute permissions to the cmd.exe.

Is this no longer an issue of concern? If so, I will look into other graphics modules besides ImageMagick in the hopes that one of them uses their own .DLL or .EXE to perform image tasks.

Thank you for your time.

valiant

Joined: 2003-01-04
Posts: 32509

Posted: Tue, 2006-10-17 15:45

No result. there's still a bug, but noone deems it important enough to take a look at it.

http://gallery.menalto.com/sfvote/vote/1163580

wisp

Joined: 2008-04-27
Posts: 2

Posted: Sun, 2008-04-27 07:19

If all you nice people have fixed this way back when, why am I still having trouble with this in 2008?

Taomyn Joined: 2003-11-11 Posts: 135	Posted: Mon, 2005-03-14 16:07
	The use of CMD.EXE in the calls to exec() under Windows isn't needed and in fact causes all sorts of problems - I've argued the case quite successfully for G1 (as it's been removed), so why is it still in G2? I couldn't get G2 to accept that Imagemagick was installed correctly on my system until I discovered this, and once removed everything worked. The code snippet I changed in WinNtPlatform.class now looks like: /* * Ok, this is screwy, but for some reason these * don't work: * * cmd /c "c:\path with\spaces\binary" "arg" * cmd /c " c:\path\\ with\spaces\binary arg " * cmd /c " 'c:\path\ with\spaces\binary' 'arg' " * * But this does: * * cmd /c " "c:\path with\spaces\binary" "arg" " * * Turns out that this is a documented feature of cmd.exe. * See "cmd.exe /help" for more details * / // ** $command = 'cmd /c "' . $command . ' 2> "' . $debugFile . '" "'; $command = '"' . $command . '"'; if ($gallery->getDebug()) { $gallery->debug("Executing: $command"); } $results = array(); exec($command, $results, $status); // * if ($gallery->getDebug()) { $gallery->debug("Results: " . print_r($results,true)); } list ($ret, $expected) = GalleryCoreApi::getPluginParameter('module', 'core', 'exec.expectedStatus'); if ($ret->isError()) { if ($gallery->getDebug()) { $gallery->debug('Unable to look up core.exec.expectedStatus param'); } $expected = 0; } My changes marked with // *** ---- Gallery URL (optional): http://gallery2.star-one.co.uk Gallery version: G2b1 Webserver (with version): IIS 6 Datatabase (with version): MySQL v4.1.10a PHP version (eg 4.2.1): 5.0.3 phpinfo URL (optional): Graphics Toolkit(s): Imagemagick v6.2.0 Operating system: Windows 2003 Server Web browser/version: Firefox v1.0.1 & IE 6 G1 version (for migration bugs): v1.5 RC2
	XUser login Username: * Password: * Create new account Request new password
mindless Joined: 2004-01-04 Posts: 8601	Posted: Mon, 2005-03-14 16:22
	for reference: http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=13346

bharat Joined: 2002-05-21 Posts: 7994	Posted: Tue, 2005-03-15 01:32
	It's still in G2 because G2 forked off before G1.4.3 I believe that I did it this way initially for compatibility with older versions of Windows. Now I'm afraid to touch it! But you're right, we should revisit this. Would you start by filing this as a bug on sf.net and referencing this thread so that it doesn't get forgotten? Also, I think that we should make up some kind of short PHP test script that exercises exec on a variety of command/argument sets with special characters in them (spaces, double and single quotes, etc) which we can then test out on a wide range of Windows to figure out whether this is going to cause us problems or not. I can say that the current code does not cause me any problems on WinXP (possibly because I don't run Apache as a service, though).

Taomyn Joined: 2003-11-11 Posts: 135	Posted: Tue, 2005-03-15 09:31
	I've reported this via SF as requested. If you'd like a hand testing the exercise script please feel free to send me a copy and I'll see how it behaves on my configuration.

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Thu, 2005-05-26 22:15
	Taomyn, I tried applying your fix to Beta 3: Bingo, without success. Would you mind trying this fix on that version as well? And, do you have any other pointers for IIS6/PHP + G2 installs?

ChrisJohnson00TA Joined: 2004-03-15 Posts: 167	Posted: Fri, 2005-05-27 00:57
	Hey h0bbel: If you get it working, see if dcraw works ;) Taomyn: I tried as well, and couldn't make it work... any chance you can email me that specific file? I'd like to see if it fixes a specific problem I've been having with a module on IIS6.

buut Joined: 2003-06-18 Posts: 196	Posted: Fri, 2005-05-27 01:10
	h0bbel, Don't know if this is helpful, but it looks if the code below is working for me on win2k/iis5. Clearly this doesn't work for any path/filename with spaces. And can have a lot of other drawbacks, which I don't see. (It my first line of php code ever... :P ) I'll hope this wil help you in any way * Turns out that this is a documented feature of cmd.exe. * See "cmd.exe /help" for more details * / / $command = 'cmd /c "' . $command . ' 2> "' . $debugFile . '" "'; */ $command = str_replace('"'," ", $command); $command = ($command . ' > ' . $debugFile);

buut Joined: 2003-06-18 Posts: 196	Posted: Fri, 2005-05-27 01:57
	h0bbel, This also seems to work, and may also work with spaces in path/filename. // $command = 'cmd /c "' . $command . ' 2> "' . $debugFile . '" "'; $command = $command . ' 2> "' . $debugFile . '"'; $command = substr($command, 2, strlen($command)-1) ; $prg = substr($command, 0, strpos($command, '"')); $argu = substr($command, strpos($command, '"') + 1, strlen($command) - strpos($command, '"') - 1); $command = $prg . $argu;

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Fri, 2005-05-27 07:00
	buut, interesting. I'll have a look at that tonight.

Taomyn Joined: 2003-11-11 Posts: 135	Posted: Fri, 2005-05-27 07:45
	I'm surprised to see this rear its ugly head again. May I make one suggestion? Rather than try to fix the "space" problem with code that looks complex and will probably go wrong at some point in the future, would it not be simpler for the function to take the "command" and the "arguments" as separate parameters? That way you simply enclose the command in quotes then join the two together when executing them. Just a thought as I'd hate to see this get broken again.

valiant Joined: 2003-01-04 Posts: 32509	Posted: Fri, 2005-05-27 07:54
	Taomyn, sure, makes sense. But first try to get it working. h0bbel is writing IIS6/G2 docs at the moment and the cmd calls didn't work for him. So the first thing is to get it working, then we can refactor the code, if there's a need to.

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Fri, 2005-05-27 08:05
	Taomyn, as valiant pointed out, we are looking at this rigth now. Since I couldn't get it to run anything via exec calls on w2k3 and IIS6, I need some help in figuring out why. Any tips?

Taomyn Joined: 2003-11-11 Posts: 135	Posted: Fri, 2005-05-27 08:26
	Have you tried using Filemon from Sysinternals to monitor file activity? It will capture file accesses (filtered if need be) so you can see what the processes are trying to do. It's how I sorted this out before. Also make sure to give the following security: CMD.EXE - IUSR_computername & NETWORK SERVICE Read + Execute PHP temp - IUSR_computername & NETWORK SERVICE Modify Basically the two acounts, IUSR_computername & NETWORK SERVICE, are used various parts of IIS6 to access the rest of the server. Oh, and unlike a few other recommendations I've seen, don't make a copy of CMD.EXE just for this - there's no need and any service packs will not update the executable you copy. I can offer direct help on the server but that would require me to have full access via TS to the server to get to the bottom of why its not working :-?

valiant Joined: 2003-01-04 Posts: 32509	Posted: Fri, 2005-05-27 08:38
	sidenote: make sure to use double-quotes and not single-quotes when using error redirection, see first user comment of http://php.net/system

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Fri, 2005-05-27 09:07
	Taomyn, i've used filemon, yes. I'll have a new stab at this during the weekend, and if i'm unable to sort it out, I'll be happy to provide you with TS access. My W2K3 box is running inside vmware anyway, and it's only used for this. Whatever you do, i can always revert to a snapshot.

buut Joined: 2003-06-18 Posts: 196	Posted: Fri, 2005-05-27 12:28
	Both of the solutions are quick tested on a win2k/iis5 server, which off course is much less strict is permissions. If it is helpful I can provide access to this machine. It may help you guys in determine if it is a coding problem or if it is a iis6 issue.

h0bbel Joined: 2002-07-28 Posts: 13451	Posted: Fri, 2005-05-27 15:31
	buut, i'll post as soon as i've looked at it this weekend. I do suspect that there is something IIS6 specific though, but that might very well be my own fault.

Civok88 Joined: 2006-10-12 Posts: 3	Posted: Tue, 2006-10-17 15:11
	...and what was the result? Just curious as I'm looking for a solution to allowing the IUSR_ account on an Win2003Svr/IIS6 execute permissions to the cmd.exe. Is this no longer an issue of concern? If so, I will look into other graphics modules besides ImageMagick in the hopes that one of them uses their own .DLL or .EXE to perform image tasks. Thank you for your time.

valiant Joined: 2003-01-04 Posts: 32509	Posted: Tue, 2006-10-17 15:45
	No result. there's still a bug, but noone deems it important enough to take a look at it. http://gallery.menalto.com/sfvote/vote/1163580

wisp Joined: 2008-04-27 Posts: 2	Posted: Sun, 2008-04-27 07:19
	If all you nice people have fixed this way back when, why am I still having trouble with this in 2008?

Please stop using CMD.EXE on the exec() function

XUser login