php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #35161 Inaccurate documentation about popen() escaping in safe_mode
Submitted: 2005-11-09 03:28 UTC Modified: 2005-11-09 14:06 UTC
From: brion at pobox dot com Assigned:
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS: Mac OS X
Private report: No CVE-ID: None
 [2005-11-09 03:28 UTC] brion at pobox dot com
Description:
------------
This bug was reported some months ago about odd escaping in 
popen() when safe_mode is on:
http://bugs.php.net/bug.php?id=32701

Arguments correctly escaped, as with escapeshellarg(), end 
up being unexpectedly corrupted under safe_mode with the 
addition of unexpected backslashes.

The bug was marked as BOGUS. If it this is the intended 
behavior, the documentation needs to be modified to reflect 
this. Currently the docs for popen() and several other 
functions include only this caveat:

"With safe mode enabled, all words following the initial 
command string are treated as a single argument. Thus, echo 
y | echo x becomes echo "y | echo x"."

However that is *false*:
1) Multiple arguments are sent where separated by spaces.
2) Quotes seem to be understood, so multi-word arguments are 
themselves passed intact.
3) In addition to this sensible behavior, many characters 
have backslashes inserted before them, even if they are 
inside already-quoted arguments.

Accurate documentation, and an explanation of how to get 
parameters to the other program without corruption, would be  
a huge help in making our programs work correctly under 
safe_mode.

cf http://bugzilla.wikimedia.org/show_bug.cgi?id=3891#c13


Reproduce code:
---------------
<?php
$r = popen("echo '-=< Test >=-'", "r");
print(stream_get_contents($r));
pclose($r);
?>

Expected result:
----------------
-=< Test >=-


Actual result:
--------------
-=\< Test \>=-


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-09 12:14 UTC] vrana@php.net
Snippet changed to: "With safe mode enabled, the command string is escaped with escapeshellcmd(). Thus, echo 
y | echo x becomes echo y \| echo x."

There's really no way to echo '-=< Test >=-' in safe_mode so I have reopened the bug #32701.

I'm leaving this one open until 32701 will be resolved to document the final state.
 [2005-11-09 14:06 UTC] vrana@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

32701 has been changed to Feature request and safe_mode will be removed from PHP 6. So this is effectively the final state. I've added "Following characters are preceded by a backslash: #&;`|*?~<>^()[]{}$\, \x0A  and \xFF. ' and "  are escaped only if they are not paired. In Windows, all these characters plus % are replaced by a space instead." to escapeshellcmd() documentation.

Your 3891#13 can be run without any quotes in safe_mode as you are lucky enough to don't have any spaces in the argument.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 08:01:28 2024 UTC