I'm not sure I understand how this is "bypassing" anything. You feed the command to the shell, it is executed. escapeshellcmd just escapes cetrain characters, it can't magically make any command safe. So I'd like a bit more details about what you'd expect escapeshellcmd to do and in what sense this is a "bypass"?

example supplied was just a for instance in that it doesn't stop mistakenly used things like /c being passed in.

PHP Code to get an EXE version  php, cmd.exe etc

<?php
$c = escapeshellcmd($_GET['n']);
system($c . " -v ");       
?>

1) open Windows command like

2) call from browser
http://localhost/test.php?n=c:\Windows\system32\cmd.exe%20/c%20calc

3) you will see script trying to start calc.exe

4) go to Windows CL and do taskkill /f /im calc.exe

You will see it terminated... that's my point.

Using this however will fail obviously:
http://localhost/escapeshellcmd-tests.php?n=c:\Windows\system32\cmd.exe%20calc

I'm sorry I still don't see where "bypass" is. You've launched a command that is supposed to run calc. It runs calc. It is expected. Where is the problem? What did you expect to happen instead?

Another example:

On Windows CL below command will write info about a file named 'hi.txt' to file named 'test' and do dir listing.

C:\> dir hi.txt  > test | dir

But if we do this using PHP and use escapeshellcmd to try prevent arbitrary cmds it fails.

<?php
$c = escapeshellcmd($_GET['n']);
system("dir " . $c . " > TEST | dir");
?>

Then,

http://localhost/test.php?n=%26calc%26taskmgr

calc.exe and taskmgr get called.

feels a bit inconsistent at least on Windows, maybe bypass though was wrong word for it.

Perhaps it would clarify matters if you removed the irrelevant parts of your code.  It doesn't matter if the input comes via $_GET or not, so just include a literal in your example code.

Executing the command isn't as diagnostic as showing what the output of escapeshellcmd() looks like (and what you expect it to look like).  So forget the call to system/shell_exec/etc...   Just echo it out.

3v4l.org is a great resource for this as well: https://3v4l.org/BD8XF is what I understand your example to be and as you can see the ampersands are escaped just as the manual says they will be.

How does this output differ from your expectations?

Also, in your example:

$c = escapeshellcmd($_GET['n']);
system("dir " . $c . " > TEST | dir");

You should use escapeshellarg() here, not escapeshellcmd(), as $_GET['n'] is an argument, not a command.

Appreciate your replies, I was expect it to not run arbitrary command as the name implies. Yea forget the $_GET but this is the whole point. I don't care what the function output looks like diagnostically, only that it works to prevent arbitrary commands being called which in my examples it does not. Anyway, need to be careful using this function I think.

Thanks for anything.
John

> I don't care what the function output looks like diagnostically

Diagnostics are the only thing that make bug reports actionable.

All we have at this point is: "system() successfully runs commands, and escapeshellcmd() doesn't prevent it from running commands."

You've offered a nebulous definition of what a "bad" command is, but it's not up to the runtime to decide what commands you want to run, and escapeshellcmd() doesn't claim to offer that functionality.