php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54391 escapeshellarg strip non-ascii characters
Submitted: 2011-03-26 15:12 UTC Modified: 2015-02-03 07:01 UTC
Votes:12
Avg. Score:4.2 ± 0.9
Reproduced:9 of 9 (100.0%)
Same Version:4 (44.4%)
Same OS:5 (55.6%)
From: c dot madmax at gmail dot com Assigned:
Status: Open Package: Program Execution
PHP Version: any OS: any
Private report: No CVE-ID: None
 [2011-03-26 15:12 UTC] c dot madmax at gmail dot com
Description:
------------
escapeshellarg() strip non-ascii characters if the LANG environment variable is not set to somthing like LANG=*.ISO-8959-1 e.g. LANG=en_US.ISO-8959-1

The job of escapeshellarg() is only to escape characters and NOT to remove them!!! The manual say nothing about removing characters!!!

Removing characters can cause horrible results!!!

It should doesn't matter if a shell arg has a ISO-8959-1 charset or UTF-8 charset or any other charset, because it is possible that a filename has a ISO-8959-1 charset and a other filename has a UTF-8 charset!!!

escapeshellarg() should only look for quotes and escape them, and nothing else!!!

PS:
setlocale(LC_ALL, 'en_US.ISO-8959-1') and/or putenv('LANG=en_US.ISO-8959-1') dosn't fix this problem! And i think even if this work it's not good a solution!

Test script:
---------------
<?php

$path = escapeshellarg('/home/www-data/äöüÄÖÜß'); // ISO-8959-1 characters =  "\xE4\xF6\xFC\xC4\xD6\xDC\xDF" in hex format

shell_exec(sprintf('rm -fr %s', $path));

echo sprintf('%s removed', $path);

?>

Expected result:
----------------
The test script should remove the folder /home/www-data/äöüÄÖÜß and output:

'/home/www-data/äöüÄÖÜß' removed

Actual result:
--------------
The test script remove the folder /home/www-data/ and output

'/home/www-data/' removed

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-26 15:18 UTC] felipe@php.net
See bug #44945
 [2011-03-26 15:18 UTC] felipe@php.net
-Status: Open +Status: Bogus
 [2011-03-26 15:18 UTC] felipe@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php


 [2011-03-26 15:35 UTC] c dot madmax at gmail dot com
This is a different bug!

Bug 44945 is related to utf-8 strings, and the bug is fixed. escapeshellarg() don't remve valid utf-8 characters.

But escapeshellarg() remove ISO-8959-1 characters!
 [2011-03-26 16:11 UTC] felipe@php.net
-Status: Bogus +Status: Open
 [2013-02-03 23:54 UTC] me at paulofreitas dot me
Test script:
---------------
<?php

$filename = 'résumé.pdf';

var_dump(escapeshellarg($filename));
setlocale(LC_CTYPE, 'en_US.utf8');
var_dump(escapeshellarg($filename));

?>

Test result when executed from CLI:
---------------
string(14) "'résumé.pdf'"
string(14) "'résumé.pdf'"

Test result when executed from Apache:
---------------
// Executed from Apache
string(10) "'rsum.pdf'"
string(14) "'résumé.pdf'"

Which locale to use? Will it works cross-platform? Yeah, that's a very annoying unexpected behavior.
 [2015-02-03 07:01 UTC] yohgaki@php.net
-Operating System: All Debian and Ubuntu Versions +Operating System: any -PHP Version: 5.3.6 +PHP Version: any
 [2015-02-03 07:01 UTC] yohgaki@php.net
Duplicate.
https://bugs.php.net/bug.php?id=45132
Keep this bug open.
 [2017-02-07 11:06 UTC] netvicious at gmail dot com
This bug seems to be on the limbo so much time.

I get here looking for a solution but it only guided me to found my solution.

For me it worked with a setlocale(LC_ALL, 'es_ES@euro'), it didn't worked with setlocale(LC_ALL, 'es_ES@iso-8859-1') and others but I think it should be a problem with the locales on the linux configuration.

Run a locale-gen in your machine and look which locales do you have installed on your machine, and use one of they.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 09:01:30 2024 UTC