php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67864 escapeshellarg incorrectly escapes single quotes
Submitted: 2014-08-19 13:08 UTC Modified: 2014-08-19 18:39 UTC
From: Laurent dot Lyaudet at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: master-Git-2014-08-19 (Git) OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: Laurent dot Lyaudet at gmail dot com
New email:
PHP Version: OS:

 

 [2014-08-19 13:08 UTC] Laurent dot Lyaudet at gmail dot com
Description:
------------
Hi,

Single quotes are not properly escaped by escapeshellargs.
The correction is trivial.

Current source code in exec.c is 
363                 switch (str[x]) {
364 #ifdef PHP_WIN32
365                 case '"':
366                 case '%':
367                         cmd->val[y++] = ' ';
368                         break;
369 #else
370                 case '\'':
371                         cmd->val[y++] = '\'';
372                         cmd->val[y++] = '\\';
373                         cmd->val[y++] = '\'';
374 #endif
375                         /* fall-through */
376                 default:
377                         cmd->val[y++] = str[x];
378                 }

line 371 should be removed and a line with 'break;' should be added between lines 373 and 374.

Correct source code should be
363                 switch (str[x]) {
364 #ifdef PHP_WIN32
365                 case '"':
366                 case '%':
367                         cmd->val[y++] = ' ';
368                         break;
369 #else
370                 case '\'':
371                         cmd->val[y++] = '\\';
372                         cmd->val[y++] = '\'';
373                         break;
374 #endif
375                         /* fall-through */
376                 default:
377                         cmd->val[y++] = str[x];
378                 }

Best regards,
   Laurent Lyaudet

Test script:
---------------
root@wheezyDEVLaurent:~# php
<?php
echo "\n", escapeshellarg('\''), "\n";
?>

''\'''
root@wheezyDEVLaurent:~#

Expected result:
----------------
'\''

Actual result:
--------------
''\'''

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-19 18:39 UTC] Laurent dot Lyaudet at gmail dot com
-Status: Open +Status: Closed
 [2014-08-19 18:39 UTC] Laurent dot Lyaudet at gmail dot com
My bad, I forgot that the shell concatenates single quotes escaped string,
and that :
touch test\ \'\"\ test
touch 'test '\''" test'
touch "test '\" test"
all work and are equivalent
but
touch 'test \'" test'
does not work.

I wonder if it wouldn't be simpler and safer for escapeshellarg to escape args using double quotes instead of simple quotes to encapsulate the string.

Best regards,
   Laurent Lyaudet
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 08:01:29 2024 UTC