PHP :: Bug #67864 :: escapeshellarg incorrectly escapes single quotes

Bug #67864	escapeshellarg incorrectly escapes single quotes
Submitted:	2014-08-19 13:08 UTC	Modified:	2014-08-19 18:39 UTC
From:	Laurent dot Lyaudet at gmail dot com	Assigned:
Status:	Closed	Package:	*General Issues
PHP Version:	master-Git-2014-08-19 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	Laurent dot Lyaudet at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2014-08-19 13:08 UTC] Laurent dot Lyaudet at gmail dot com

Description:
------------
Hi,

Single quotes are not properly escaped by escapeshellargs.
The correction is trivial.

Current source code in exec.c is 
363                 switch (str[x]) {
364 #ifdef PHP_WIN32
365                 case '"':
366                 case '%':
367                         cmd->val[y++] = ' ';
368                         break;
369 #else
370                 case '\'':
371                         cmd->val[y++] = '\'';
372                         cmd->val[y++] = '\\';
373                         cmd->val[y++] = '\'';
374 #endif
375                         /* fall-through */
376                 default:
377                         cmd->val[y++] = str[x];
378                 }

line 371 should be removed and a line with 'break;' should be added between lines 373 and 374.

Correct source code should be
363                 switch (str[x]) {
364 #ifdef PHP_WIN32
365                 case '"':
366                 case '%':
367                         cmd->val[y++] = ' ';
368                         break;
369 #else
370                 case '\'':
371                         cmd->val[y++] = '\\';
372                         cmd->val[y++] = '\'';
373                         break;
374 #endif
375                         /* fall-through */
376                 default:
377                         cmd->val[y++] = str[x];
378                 }

Best regards,
   Laurent Lyaudet

Test script:
---------------
root@wheezyDEVLaurent:~# php
<?php
echo "\n", escapeshellarg('\''), "\n";
?>

''\'''
root@wheezyDEVLaurent:~#

Expected result:
----------------
'\''

Actual result:
--------------
''\'''

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-08-19 18:39 UTC] Laurent dot Lyaudet at gmail dot com

-Status: Open +Status: Closed

[2014-08-19 18:39 UTC] Laurent dot Lyaudet at gmail dot com

My bad, I forgot that the shell concatenates single quotes escaped string,
and that :
touch test\ \'\"\ test
touch 'test '\''" test'
touch "test '\" test"
all work and are equivalent
but
touch 'test \'" test'
does not work.

I wonder if it wouldn't be simpler and safer for escapeshellarg to escape args using double quotes instead of simple quotes to encapsulate the string.

Best regards,
   Laurent Lyaudet

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Nov 20 06:00:01 2025 UTC