php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #43784 escapeshellarg removes % from given string
Submitted: 2008-01-08 09:04 UTC Modified: 2015-01-09 01:04 UTC
Votes:5
Avg. Score:4.4 ± 0.5
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:5 (100.0%)
From: bate@php.net Assigned: scottmac (profile)
Status: Closed Package: Program Execution
PHP Version: 6CVS-2008-01-08 (snap) OS: Windows
Private report: No CVE-ID: None
View Developer Edit
 [2008-01-08 09:04 UTC] bate@php.net 
Description:
------------
escapeshellarg(string) removes all % out of it. This results in a non working version for arguments that requires % for formating.

ie. imagick identify.exe

identify -format "%m" myimage.png



Reproduce code:
---------------
<?php
echo escapeshellarg('%m %f %v');


Expected result:
----------------
'%m %f %v'

Actual result:
--------------
' m  f  v'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-01-08 09:10 UTC] derick@php.net 
This is because of the following commit:
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.84.2.13&r2=1.84.2.14
which was a reaction to a security bulletin. However, just stripping out the % is not the solution, as it can only be used to access env vars *outside* strings, and with a matching %. However, just stripping them out is not a good solution as it hinders real life use of it like in this example.
 [2008-01-08 09:10 UTC] derick@php.net 
I'm assigning it to you ilia, as you made the original patch as well.
 [2008-07-20 16:09 UTC] pajoye@php.net 
Assigned to Scott to see if this problem can't be solved with the one describe in #43261
 [2015-01-09 01:04 UTC] ajf@php.net
-Status: Assigned +Status: Closed
 [2015-01-09 01:04 UTC] ajf@php.net 
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

I'm using 5.6 and this is fixed. I assume it was fixed a while ago, but I don't know which version.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Nov 14 14:00:01 2025 UTC