php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #75959 Support a function to escape glob metacharacters
Submitted: 2018-02-14 09:49 UTC Modified: 2018-07-23 12:30 UTC
From: maggus dot staab+php at googlemail dot com Assigned:
Status: Open Package: Filesystem function related
PHP Version: 7.0.27 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-02-14 09:49 UTC] maggus dot staab+php at googlemail dot com
Description:
------------
Atm there is no api to escape glob patterns.

this makes glob() useless for cases in which dynamic (maybe even user-supplied contents will be embedded into the glob pattern).

Test script:
---------------
$glob = 'hallo*lala'; // I want this string to match the literal '*' char 
glob(glob_quote($glob))


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-14 10:01 UTC] requinix@php.net
-Status: Open +Status: Feedback
 [2018-02-14 10:27 UTC] maggus dot staab+php at googlemail dot com
thx for the pointer.

this method does 90% of what I need, but is not exactly what I search.

e.g. glob() supports {} (curly-braces) but those are not escaped with this function.

additionally quotemeta() escapes the ^ character which is not a meta-char in the "glob" sense.
 [2018-02-14 11:44 UTC] requinix@php.net
-Status: Feedback +Status: Open -Package: *General Issues +Package: Filesystem function related
 [2018-02-14 11:44 UTC] requinix@php.net
According to glob(3) it sounds like extra backslashes aren't harmful. According to glob(7) using a ^ (as in [^]) is defined to be undefined so maybe it should be escaped to be safe, but I do see that quotemeta won't get ! or ~

The next step would be addcslashes. I'm sure POSIX PHP's glob uses the system's glob(3) which has ?*[!]{~} as special - don't know how Windows PHP's glob works.

While {}s aren't special unless the GLOB_BRACE option is used, nevermind that GLOB_NOESCAPE prevents escaping from doing anything at all, I think it would be best if the function worked like quotemeta and preg_quote and simply escaped everything that could possibly be used. Speaking of, I could see situations where periods and slashes could be special too, even though they're not actually metacharacters.

Personally I would just use addcslashes depending on my use case, like to allow * ? but disallow everything else. Listing the metacharacters in the glob docs would be helpful to that end. In fact if it weren't for the fact that quotemeta exists, old as it is, I would say let's just document what's special and tell people how to escape what they don't want.
 [2018-02-14 12:30 UTC] maggus dot staab+php at googlemail dot com
in case quotemeta() is the correct escaping function for glob and its caveats would be described on its doc page it should also be cross-linked via "see also" from the "glob()" docs page.
 [2018-07-23 12:30 UTC] cmb@php.net
> […] - don't know how Windows PHP's glob works.

For Windows we have an own implementation[1], which enforces
GLOB_NOESCAPE[2].

[1] <https://github.com/php/php-src/blob/php-7.2.8/win32/glob.c>
[2] <https://github.com/php/php-src/blob/php-7.2.8/win32/glob.c#L172-L177>
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Oct 16 20:01:27 2018 UTC