php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69768 escapeshell*() doesn't cater to !
Submitted: 2015-06-07 18:01 UTC Modified: 2015-07-10 14:45 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: Program Execution
PHP Version: 5.6.9 OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2015-06-07 18:01 UTC] cmb@php.net
Description:
------------
When delayed variable substitution is enabled (can be set in the
Registry, for instance), !ENV! works similar to %ENV%, and the
value of the environment variable ENV will be subsituted.

Neither escapeshellcmd() nor escapeshellarg() handle ! as a
special character, so this can cause security issues.

I suggest to treat ! the same as %, i.e. escape it with ^ in
escapeshellcmd() and replace it with a space in escapeshellarg(),
like it's done in the attached patch.


Patches

escapeshell-exclamation-mark (last revision 2015-06-07 18:02 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-07 18:02 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: escapeshell-exclamation-mark
Revision:   1433700149
URL:        https://bugs.php.net/patch-display.php?bug=69768&patch=escapeshell-exclamation-mark&revision=1433700149
 [2015-06-22 10:43 UTC] kalle@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: cmb
 [2015-06-22 10:43 UTC] kalle@php.net
Seems fine to me, go ahead and commit it, should probably go all the way down to 5.4
 [2015-06-23 23:47 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2015-06-23 23:47 UTC] cmb@php.net
Merged into 5.4, 5.5, 5.6 and master.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 09 11:01:28 2024 UTC