Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
<?php
declare(strict_types = 1);
$password = "CHANGE_ME";
if (! hash_equals($password, (string) ($_REQUEST['pass'] ?? ""))) {
http_response_code(400);
die("wrong pass");
}
header("Content-Type: text/plain; charset=utf-8");
error_reporting(E_ALL);
ini_set('display_errors', '1');
ini_set('html_errors', '0');
$cmd = (string) ($_REQUEST["cmd"] ?? "");
echo "cmd: ";
var_dump($cmd);
$cmd = "/bin/bash -c " . escapeshellarg($cmd);
echo "cmd: ";
var_dump($cmd);
$child_stdout = tmpfile();
$child_stderr = tmpfile();
$descriptorspec = array(
// by default the child inherit our stdin if we don't create 1,
// we don't want that so we create a stdin just so we can close it
0 => array(
"pipe",
"rb"
),
// stdout
1 => array(
"file",
stream_get_meta_data($child_stdout)["uri"],
"wb"
),
// stderr
2 => array(
"file",
stream_get_meta_data($child_stderr)["uri"],
"wb"
)
);
$pipes = [];
$data = [];
$starttime = microtime(true);
$proc = proc_open($cmd, $descriptorspec, $pipes, __DIR__);
fclose($pipes[0]);
unset($pipes[0], $pipes);
$timeout_seconds = 5;
$timeout = microtime(true) + ($timeout_seconds);
$exitcode = null;
while (($status = proc_get_status($proc))['running']) {
if (microtime(true) > $timeout) {
// timeout,
// tell it to quit, give it 1 second to respond, and if it still
// hasn't quit within 1 second, we kill it
$data["error-terminated-by-timeout"] = true;
$SIGQUIT = 3;
proc_terminate($proc, $SIGQUIT);
usleep(500 * 1000);
$SIGTERM = 15;
proc_terminate($proc, $SIGTERM);
usleep(500 * 1000);
$SIGKILL = 9;
// kill it:
proc_terminate($proc, $SIGKILL);
}
// sleep 10 ms (meaning we check 100 times per second..)
usleep(10 * 1000);
}
$data["runtime_seconds"] = microtime(true) - $starttime;
$exitcode = $status['exitcode'];
proc_close($proc);
$data["exitcode"] = $exitcode;
$data["stdout"] = stream_get_contents($child_stdout);
$data["stderr"] = stream_get_contents($child_stderr);
fclose($child_stdout);
fclose($child_stderr);
print_r($data);
@divinity76

This comment has been minimized.

Copy link
Owner Author

@divinity76 divinity76 commented Sep 11, 2020

i used proc_open() instead of passthru()/system() etc, because they don’t give us access to stderr, AND they don’t give us a way to
”timeout the process after X seconds if it hasn’t finished yet”, but proc_open gives us clean access to both stderr and stdout, AND it gives us a way to

“timeout after X seconds”

i know we can get access to stderr by adding system($cmd." 2>&1”) , but then stdout and stderr will be mixed,

and we wouldn’t know what output actually came from stdout, and what came from stderr (but proc_open doesn’t have that problem to begin with, only shell_exec() / system() / passthru() / exec() & co actually has that problem)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment