|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #54391 escapeshellarg strip non-ascii characters
Submitted: 2011-03-26 15:12 UTC Modified: 2015-02-03 07:01 UTC
Avg. Score:4.2 ± 0.9
Reproduced:9 of 9 (100.0%)
Same Version:4 (44.4%)
Same OS:5 (55.6%)
From: c dot madmax at gmail dot com Assigned:
Status: Open Package: Program Execution
PHP Version: any OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
44 - 3 = ?
Subscribe to this entry?

 [2011-03-26 15:12 UTC] c dot madmax at gmail dot com
escapeshellarg() strip non-ascii characters if the LANG environment variable is not set to somthing like LANG=*.ISO-8959-1 e.g. LANG=en_US.ISO-8959-1

The job of escapeshellarg() is only to escape characters and NOT to remove them!!! The manual say nothing about removing characters!!!

Removing characters can cause horrible results!!!

It should doesn't matter if a shell arg has a ISO-8959-1 charset or UTF-8 charset or any other charset, because it is possible that a filename has a ISO-8959-1 charset and a other filename has a UTF-8 charset!!!

escapeshellarg() should only look for quotes and escape them, and nothing else!!!

setlocale(LC_ALL, 'en_US.ISO-8959-1') and/or putenv('LANG=en_US.ISO-8959-1') dosn't fix this problem! And i think even if this work it's not good a solution!

Test script:

$path = escapeshellarg('/home/www-data/äöüÄÖÜß'); // ISO-8959-1 characters =  "\xE4\xF6\xFC\xC4\xD6\xDC\xDF" in hex format

shell_exec(sprintf('rm -fr %s', $path));

echo sprintf('%s removed', $path);


Expected result:
The test script should remove the folder /home/www-data/äöüÄÖÜß and output:

'/home/www-data/äöüÄÖÜß' removed

Actual result:
The test script remove the folder /home/www-data/ and output

'/home/www-data/' removed


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-26 15:18 UTC]
See bug #44945
 [2011-03-26 15:18 UTC]
-Status: Open +Status: Bogus
 [2011-03-26 15:18 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at

 [2011-03-26 15:35 UTC] c dot madmax at gmail dot com
This is a different bug!

Bug 44945 is related to utf-8 strings, and the bug is fixed. escapeshellarg() don't remve valid utf-8 characters.

But escapeshellarg() remove ISO-8959-1 characters!
 [2011-03-26 16:11 UTC]
-Status: Bogus +Status: Open
 [2013-02-03 23:54 UTC] me at paulofreitas dot me
Test script:

$filename = 'résumé.pdf';

setlocale(LC_CTYPE, 'en_US.utf8');


Test result when executed from CLI:
string(14) "'résumé.pdf'"
string(14) "'résumé.pdf'"

Test result when executed from Apache:
// Executed from Apache
string(10) "'rsum.pdf'"
string(14) "'résumé.pdf'"

Which locale to use? Will it works cross-platform? Yeah, that's a very annoying unexpected behavior.
 [2015-02-03 07:01 UTC]
-Operating System: All Debian and Ubuntu Versions +Operating System: any -PHP Version: 5.3.6 +PHP Version: any
 [2015-02-03 07:01 UTC]
Keep this bug open.
 [2017-02-07 11:06 UTC] netvicious at gmail dot com
This bug seems to be on the limbo so much time.

I get here looking for a solution but it only guided me to found my solution.

For me it worked with a setlocale(LC_ALL, 'es_ES@euro'), it didn't worked with setlocale(LC_ALL, 'es_ES@iso-8859-1') and others but I think it should be a problem with the locales on the linux configuration.

Run a locale-gen in your machine and look which locales do you have installed on your machine, and use one of they.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 14:01:29 2024 UTC