php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67864 escapeshellarg incorrectly escapes single quotes
Submitted: 2014-08-19 13:08 UTC Modified: 2014-08-19 18:39 UTC
From: Laurent dot Lyaudet at gmail dot com Assigned:
Status: Closed Package: *General Issues
PHP Version: master-Git-2014-08-19 (Git) OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: Laurent dot Lyaudet at gmail dot com
New email:
PHP Version: OS:

 

 [2014-08-19 13:08 UTC] Laurent dot Lyaudet at gmail dot com
Description:
------------
Hi,

Single quotes are not properly escaped by escapeshellargs.
The correction is trivial.

Current source code in exec.c is 
363                 switch (str[x]) {
364 #ifdef PHP_WIN32
365                 case '"':
366                 case '%':
367                         cmd->val[y++] = ' ';
368                         break;
369 #else
370                 case '\'':
371                         cmd->val[y++] = '\'';
372                         cmd->val[y++] = '\\';
373                         cmd->val[y++] = '\'';
374 #endif
375                         /* fall-through */
376                 default:
377                         cmd->val[y++] = str[x];
378                 }

line 371 should be removed and a line with 'break;' should be added between lines 373 and 374.

Correct source code should be
363                 switch (str[x]) {
364 #ifdef PHP_WIN32
365                 case '"':
366                 case '%':
367                         cmd->val[y++] = ' ';
368                         break;
369 #else
370                 case '\'':
371                         cmd->val[y++] = '\\';
372                         cmd->val[y++] = '\'';
373                         break;
374 #endif
375                         /* fall-through */
376                 default:
377                         cmd->val[y++] = str[x];
378                 }

Best regards,
   Laurent Lyaudet

Test script:
---------------
root@wheezyDEVLaurent:~# php
<?php
echo "\n", escapeshellarg('\''), "\n";
?>

''\'''
root@wheezyDEVLaurent:~#

Expected result:
----------------
'\''

Actual result:
--------------
''\'''

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-19 18:39 UTC] Laurent dot Lyaudet at gmail dot com
-Status: Open +Status: Closed
 [2014-08-19 18:39 UTC] Laurent dot Lyaudet at gmail dot com
My bad, I forgot that the shell concatenates single quotes escaped string,
and that :
touch test\ \'\"\ test
touch 'test '\''" test'
touch "test '\" test"
all work and are equivalent
but
touch 'test \'" test'
does not work.

I wonder if it wouldn't be simpler and safer for escapeshellarg to escape args using double quotes instead of simple quotes to encapsulate the string.

Best regards,
   Laurent Lyaudet
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 20:01:27 2024 UTC