PHP :: Bug #28881 :: exec(), system(), passthru() incorrectly escape parentheses

Bug #28881	exec(), system(), passthru() incorrectly escape parentheses
Submitted:	2004-06-22 15:18 UTC	Modified:	2004-06-24 02:39 UTC
From:	uncle at fedor dot com	Assigned:
Status:	Not a bug	Package:	Filesystem function related
PHP Version:	4.3.7	OS:	Linux SuSE 8.2
Private report:	No	CVE-ID:	None

View Developer Edit

[2004-06-22 15:18 UTC] uncle at fedor dot com

Description:
------------
exec() gives the following results when working with files containing spaces *and* parentheses/brackets on Linux:

If the filename to be passed by the exec() function is enclosed in quotes "..." (to handle the spaces) then the backslashes are added before the following symbols:
( ) [ ] { }
and possibly before some other ones I haven't discovered.



Reproduce code:
---------------
1. exec ("touch \"Testfile without parentheses.txt\"");

2. exec ("touch Now_without_spaces_(but_with_parenteses)");

3. exec ("touch \"Now both spaces (and parentheses)\");





Expected result:
----------------
1. Creating file:
Testfile without parentheses.txt

2. Creating file:
Now_without_spaces_(but_with_parentheses)

3. Creating file:
Now both spaces (and parentheses)

Actual result:
--------------
1. Creating file:
Testfile without parentheses.txt

2. Creating file:
Now_without_spaces_(but_with_parentheses)

3. Creating file:
Now both spaces \(and parentheses\)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-06-22 16:14 UTC] iliaa@php.net

Unless you have safe_mode enabled exec functions do not 
perform any automatic escaping. With PHP 4.3.7 without 
safe_mode exec ("touch \"Now both spaces (and 
parentheses)\"); works as expected.

[2004-06-22 19:21 UTC] uncle at fedor dot com

Thank you for such a speedy reply!

The things is I *do* have safe mode enabled. And the functions behave as described above.

Is there any workaround for the safe mode?

[2004-06-24 02:39 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

When safe_mode is enabled certain escaping routines are 
performed on all execute commands and arguments. There is 
no way to prevent this other then to disable safe_mode.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Dec 17 11:00:01 2025 UTC