php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #43784 escapeshellarg removes % from given string
Submitted: 2008-01-08 09:04 UTC Modified: 2015-01-09 01:04 UTC
Votes:5
Avg. Score:4.4 ± 0.5
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:5 (100.0%)
From: bate@php.net Assigned: scottmac (profile)
Status: Closed Package: Program Execution
PHP Version: 6CVS-2008-01-08 (snap) OS: Windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bate@php.net
New email:
PHP Version: OS:

 

 [2008-01-08 09:04 UTC] bate@php.net 
Description:
------------
escapeshellarg(string) removes all % out of it. This results in a non working version for arguments that requires % for formating.

ie. imagick identify.exe

identify -format "%m" myimage.png



Reproduce code:
---------------
<?php
echo escapeshellarg('%m %f %v');


Expected result:
----------------
'%m %f %v'

Actual result:
--------------
' m  f  v'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-01-08 09:10 UTC] derick@php.net 
This is because of the following commit:
http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.84.2.13&r2=1.84.2.14
which was a reaction to a security bulletin. However, just stripping out the % is not the solution, as it can only be used to access env vars *outside* strings, and with a matching %. However, just stripping them out is not a good solution as it hinders real life use of it like in this example.
 [2008-01-08 09:10 UTC] derick@php.net 
I'm assigning it to you ilia, as you made the original patch as well.
 [2008-07-20 16:09 UTC] pajoye@php.net 
Assigned to Scott to see if this problem can't be solved with the one describe in #43261
 [2015-01-09 01:04 UTC] ajf@php.net
-Status: Assigned +Status: Closed
 [2015-01-09 01:04 UTC] ajf@php.net 
Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

I'm using 5.6 and this is fixed. I assume it was fixed a while ago, but I don't know which version.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 06:01:30 2024 UTC