|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61440 proc_open() and shell escaping
Submitted: 2012-03-19 18:23 UTC Modified: 2021-02-08 14:14 UTC
Avg. Score:4.3 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: aschulz4587 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Program Execution
PHP Version: 5.4.0 OS: Vista/Win 7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: aschulz4587 at gmail dot com
New email:
PHP Version: OS:


 [2012-03-19 18:23 UTC] aschulz4587 at gmail dot com
proc_open() does not seem to handle shell escaping of the script paths properly.

Test script:

$pipes = array();
$process = proc_open(
        '"php" "--version"',
        #'php "--version"',
                0 => array( 'pipe', 'r' ), // input
                1 => array( 'pipe', 'w' ), // output
                2 => array( 'file', 'NUL', 'a' ) // error
        $pipes // respective outputs
fclose( $pipes[0] );
var_dump( stream_get_contents( $pipes[1] ) );
fclose( $pipes[1] );

Expected result:
$ php shelltest.php
string(147) "PHP 5.3.4 (cli) (built: Dec 16 2010 00:06:20)
Copyright (c) 1997-2010 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies

Actual result:
$ php shelltest.php
string(0) ""


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-03-19 18:24 UTC] aschulz4587 at gmail dot com
Note that this works if the bypass_shell flag it set. Also, popen() does not suffer from this problem.
 [2021-02-08 14:14 UTC]
-Status: Open +Status: Closed -Package: CGI/CLI related +Package: Program Execution -Assigned To: +Assigned To: cmb
 [2021-02-08 14:14 UTC]
This is fixed as of PHP 8.0.0[1], but that fix cannot be
backported for BC reasons.  If you need to go through the shell,
enclose the commandline in additional double-quotes, prior to PHP

    '""php" "--version""',

[1] <>
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Dec 10 01:01:27 2023 UTC