Fixed bug #19313

Fixed argument count check for system/exec/passthru functions
Added a check to system/exec/passthru functions to make sure execution
parameter is not blank before attempting to execute it.

ext/standard/exec.c

@@ -309,9 +309,14 @@ PHP_FUNCTION(exec)
 	int arg_count = ZEND_NUM_ARGS();
 	int ret;
 
-	if (arg_count > 3 || zend_get_parameters_ex(arg_count, &arg1, &arg2, &arg3) == FAILURE) {
+	if (arg_count < 1 || arg_count > 3 || zend_get_parameters_ex(arg_count, &arg1, &arg2, &arg3) == FAILURE) {
 		WRONG_PARAM_COUNT;
 	}
+	
+	if (!Z_STRLEN_PP(arg1)) {
+		PHP_EMPTY_EXEC_PARAM;
+	}
+	
 	switch (arg_count) {
 		case 1:
 			ret = php_Exec(0, Z_STRVAL_PP(arg1), NULL, return_value TSRMLS_CC);
@@ -337,9 +342,14 @@ PHP_FUNCTION(system)
 	int arg_count = ZEND_NUM_ARGS();
 	int ret;
 
-	if (arg_count > 2 || zend_get_parameters_ex(arg_count, &arg1, &arg2) == FAILURE) {
+	if (arg_count < 1 || arg_count > 2 || zend_get_parameters_ex(arg_count, &arg1, &arg2) == FAILURE) {
 		WRONG_PARAM_COUNT;
 	}
+	
+	if (!Z_STRLEN_PP(arg1)) {
+		PHP_EMPTY_EXEC_PARAM;
+	}
+	
 	switch (arg_count) {
 		case 1:
 			ret = php_Exec(1, Z_STRVAL_PP(arg1), NULL, return_value TSRMLS_CC);
@@ -361,9 +371,14 @@ PHP_FUNCTION(passthru)
 	int arg_count = ZEND_NUM_ARGS();
 	int ret;
 
-	if (arg_count > 2 || zend_get_parameters_ex(arg_count, &arg1, &arg2) == FAILURE) {
+	if (arg_count < 1 || arg_count > 2 || zend_get_parameters_ex(arg_count, &arg1, &arg2) == FAILURE) {
 		WRONG_PARAM_COUNT;
 	}
+	
+	if (!Z_STRLEN_PP(arg1)) {
+		PHP_EMPTY_EXEC_PARAM;
+	}
+	
 	switch (arg_count) {
 		case 1:
 			ret = php_Exec(3, Z_STRVAL_PP(arg1), NULL, return_value TSRMLS_CC);

ext/standard/exec.h

@@ -35,4 +35,6 @@ char *php_escape_shell_cmd(char *);
 char *php_escape_shell_arg(char *);
 int php_Exec(int type, char *cmd, pval *array, pval *return_value TSRMLS_DC);
 
+#define PHP_EMPTY_EXEC_PARAM { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot execute a blank command"); RETURN_FALSE; }
+
 #endif /* EXEC_H */