|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45132 escapeshellcmd removes swedish characters
Submitted: 2008-05-29 22:53 UTC Modified: 2015-02-03 06:59 UTC
Avg. Score:4.5 ± 0.8
Reproduced:11 of 11 (100.0%)
Same Version:6 (54.5%)
Same OS:5 (45.5%)
From: tom at collegit dot se Assigned:
Status: Duplicate Package: Program Execution
PHP Version: 5.*, 6CVS (2009-05-05) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: tom at collegit dot se
New email:
PHP Version: OS:


 [2008-05-29 22:53 UTC] tom at collegit dot se
Since my web server got updated to 5.2.6 escapeshellcmd() has started 
removing all Swedish characters from user input. Looks a lot like bug 

'./configure' '--with-apxs2=/usr/local/apache/bin/apxs' '--with-
mysql=/usr/local/mysql' '--enable-debug=no' '--enable-track-vars' '--
with-imap=/usr/local/imap' '--with-mcrypt' '--with-mhash' '--with-dom' 
'--with-gd' '--with-jpeg-dir' '--enable-ftp' '--with-freetype-
dir=/usr' '--with-zlib-dir=/usr' '--with-png-dir=/usr' '--enable-
dbase' '--with-gettext' '--with-zlib' '--enable-inline-optimization' 
'--with-openssl' '--with-curl' '--with-curlwrappers' '--enable-exif' 
'--with-imap-ssl' '--enable-bcmath' '--enable-mbstring' '--enable-
wddx' '--with-xsl' '--with-pdo-mysql=/usr/local/mysql' '--with-
mysqli=/usr/local/mysql/bin/mysql_config' '--enable-soap' '--enable-
sockets' '--with-mssql' '--with-ming' '--with-pspell' '--enable-
calendar' '--enable-bcmath' '--with-t1lib' '--with-
pgsql=/usr/local/pgsql' '--with-tidy' '--enable-zip'

Reproduce code:
$test = "???";
$test = (escapeshellcmd($test));
print $test;

Expected result:

Actual result:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-05-29 22:55 UTC]
Ilia, did that fix get into actual release..?
 [2008-05-29 23:09 UTC]
Try using:
setlocale(LC_CTYPE, "UTF8", "en_US.UTF-8");
 [2008-08-07 06:23 UTC] tstarling at wikimedia dot org
The issue is that previously 8-bit clean locales, like "C", are now being validated for whatever character set they supposedly are, with characters above 127 being removed. 

The suggested fix, here and on , appears to reopen whatever security vulnerability it was that the patch fixed in the first place. 

$ LANG=C php eval.php
> setlocale(LC_CTYPE, 'en_US.UTF-8')
> echo escapeshellarg("\xC3\x96")
> passthru('locale')

Because the environment variable LC_CTYPE is not set by setlocale(), the spawned shell sees the old character set, not the new one. So the shell can be passed an argument escaped for the wrong character set, potentially opening a vulnerability. 

I'm assuming that the attack scenario for this vulnerability is where an attacker can set environment variables such as LANG to a vulnerable character set, before starting PHP. Because if an attacker can set environment variables during execution of a script, the bug is not fixed. But in that case you're probably screwed anyway.
 [2009-05-07 13:52 UTC]
See also bug #44564 (and can still verify using latest CVS)

 [2010-05-19 14:23 UTC]
-Status: Assigned +Status: To be documented -Assigned To: iliaa +Assigned To:
 [2010-05-19 14:23 UTC]
Works here, but needs to be documented that escapeshell*() functions are locale dependent.
 [2010-12-20 12:08 UTC]
-Package: Tidy +Package: Program Execution
 [2015-02-03 06:59 UTC]
-Status: Open +Status: Duplicate
 [2015-02-03 06:59 UTC]
It removes non-ascii chars. Make this a dup of
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 17 08:01:32 2024 UTC