php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #32701 Safe-mode popen(): escaping problem
Submitted: 2005-04-14 09:22 UTC Modified: 2013-03-02 18:38 UTC
From: kosmo at miechow dot com Assigned: reeze (profile)
Status: Closed Package: *General Issues
PHP Version: 5.0.4 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kosmo at miechow dot com
New email:
PHP Version: OS:

 

 [2005-04-14 09:22 UTC] kosmo at miechow dot com 
Description:
------------
In safe-mode popen() is escaping command line by calling php_escape_shell_cmd(). This funcion escaping command line,
and changing valid command arguments. IMHO there should be any way to disable this escaping and run in safe-mode.

Reproduce code:
---------------
<?php
$r = popen("echo '-=< Test >=-'", "r");
print(stream_get_contents($r));
pclose($r);
?>


Expected result:
----------------
-=< Test >=-

Actual result:
--------------
-=\< Test \>=-

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-14 09:51 UTC] sniper@php.net 
This is how it works. No bug here.
 [2005-11-09 12:09 UTC] vrana@php.net 
It works bad. There's no way to echo '-=< Test >=-' in safe_mode. No characters inside single quotes should be escaped by php_escape_shell_cmd() as they have no special meaning.

I can prepare a patch for it if it will be accepted.
 [2005-11-09 12:57 UTC] sniper@php.net 
It's still not bug but a change request. Reclassified.

You can provide a patch if you wish. The fact is that we're going to remove the whole "safe-mode" anyway, so you're basically wasting your time. This is not the only thing that goes wrong with it..
 [2005-11-13 02:31 UTC] 5Wupdd51ogZj7Lm8B at anime dot net 
Is there any link to more detailed info about safe_mode going away, and how php is handling security in the next release?
 [2013-03-02 18:38 UTC] reeze@php.net 
Safe mode was gone.
 [2013-03-02 18:38 UTC] reeze@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: reeze
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 02 12:01:29 2025 UTC