|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2012-03-19 18:23 UTC] aschulz4587 at gmail dot com
Description:
------------
proc_open() does not seem to handle shell escaping of the script paths properly.
Test script:
---------------
<?php
$pipes = array();
$process = proc_open(
'"php" "--version"',
#'php "--version"',
array(
0 => array( 'pipe', 'r' ), // input
1 => array( 'pipe', 'w' ), // output
2 => array( 'file', 'NUL', 'a' ) // error
),
$pipes // respective outputs
);
fclose( $pipes[0] );
var_dump( stream_get_contents( $pipes[1] ) );
fclose( $pipes[1] );
proc_close($process);
Expected result:
----------------
$ php shelltest.php
string(147) "PHP 5.3.4 (cli) (built: Dec 16 2010 00:06:20)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
"
Actual result:
--------------
$ php shelltest.php
string(0) ""
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Nov 02 09:00:01 2025 UTC |
This is fixed as of PHP 8.0.0[1], but that fix cannot be backported for BC reasons. If you need to go through the shell, enclose the commandline in additional double-quotes, prior to PHP 8.0.0: '""php" "--version""', [1] <https://github.com/php/php-src/commit/9ca449e0a803cb9d1d40fd6b83f2da1e6a7b46d9>