php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #32826 safe_mode argument quotation
Submitted: 2005-04-25 21:58 UTC Modified: 2005-04-25 23:41 UTC
From: jan dot klepal at bonicom dot cz Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4CVS-2005-04-25 (stable) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2005-04-25 21:58 UTC] jan dot klepal at bonicom dot cz 
Description:
------------
While safe_mode is enabled PHP slash quotes in arguments passed to programs executed by exec functions.

Reproduce code:
---------------
passthru("echo \"some 'quoted' text\"");
passthru("echo 'some \"quoted\" text'");


Expected result:
----------------
some 'quoted' text
some "quoted" text


Actual result:
--------------
some \'quoted\' text
some \"quoted\" text

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-25 22:44 UTC] sniper@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

RTFM
 [2005-04-25 23:41 UTC] jan dot klepal at bonicom dot cz 
I am confused...

Documentation says:

With safe mode enabled, all words following the initial command string are treated as a single argument. Thus, echo y | echo x becomes echo "y | echo x".

Try this with safe_mode enabled:

file args.sh
#!/bin/sh

echo First arg: $1
echo Second arg: $2

and php:
passthru('args.sh one two');

According to doc, I shoud get:
First arg: one two
Second arg: 

But I get:
First arg: one
Second arg: two


So echo y | echo x doesn't become echo "y | echo x" but echo y \| echo x.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Dec 03 11:00:01 2025 UTC