Bug #61706 [Com]: escapeshellarg behaves inconsistently depending on shell
Edit report at https://bugs.php.net/bug.php?id=61706edit=1 ID: 61706 Comment by: phpbugs at personal dot formauri dot es Reported by:phpbugs at personal dot formauri dot es Summary:escapeshellarg behaves inconsistently depending on shell Status: Open Type: Bug Package:Program Execution Operating System: Linux, Unix, maybe OSX, NOT msw PHP Version:5.4Git-2012-04-12 (Git) Block user comment: N Private report: N New Comment: For extra background, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550399 Unlike what I thought at first, it seems to affect the shell's built-in echo command specifically. As noted in that bug, it also affects shells other than dash, including posh and mksh. I've had the problem with zsh as well. And as noted in that bug, dash is the default shell in many systems, and also in Ubuntu (see https://bugs.launchpad.net/ubuntu/+source/dash/+bug/259671 ). Debian also offers to install posh as the default /bin/sh. The consensus seems to be that that is not a bug in the shell, because the result of using backslashes in the shell's builtin echo is implementation-defined, and therefore it's PHP's responsibility to escape them properly, e.g. in the suggested way. On a different topic, one advantage of using the method of switching mode depending on the runs of should-be-escaped/should-not-be-escaped characters, as in the PHP example function shown above, is that the temporary storage requirement is reduced from 4n+2 as is now, or ~4 times the length, to ceil(5n/2), or ~2.5 times the length. That's because the worst case for the current behavior is a sequence of single-quotes which is written as ''\'''\'''\''...'\''' and the worst case for the proposed behaviour is alternating escaped/non-escaped characters as in 'x'\\'x'\\'x'\\...'x', therefore every 2 characters are turned into 5 with possibly an extra character at the end. Previous Comments: [2012-04-13 00:51:55] zhanglijiu at gmail dot com My result is \\ my system is Mac OS SHould be bash [2012-04-12 22:22:04] phpbugs at personal dot formauri dot es Description: Depending on the shell, for shell internal commands the backslashes within single quotes are interpreted as escapes or are used verbatim. For example, in bash and in busybox: $ echo '\\' \\ But in dash: $ echo '\\' \ dash is frequently set as the default /bin/sh so this is a problem. More so since some programs need to get their input from stdin and therefore they need the use of 'echo' for input not coming from a file or being input from the console. To work around the backslash inconsistency among shells, backslashes should receive special treatment as quotes do, e.g. translate \ to '\\'. I was tempted of sending this as a security issue, but the scenarios where security could be in risk are too improbable for it to be a serious security concern. Ideally though, no unnecessary quotes should be used in the output string, e.g. escapeshellarg should convert '''abc\\'\ into \'\'\''abc'\'\\. Currently it converts '''abc\\'\ into ''\'''\'''\''abc\\'\''\' which exhibits the bug and is unnecessarily large. For backwards compatibility, maybe an extra argument should be added to also quote backslashes and use a new method of quoting. Here is a PHP function that implements the suggestions here, using strspn and strcspn to grab the longest spans that it can eat at a time of each kind (characters to escape / characters not to escape): http://www.formauri.es/personal/pgimeno/temp/sh_escape.phps (includes test suite). Test script: --- ?php $backslash = \\; system('echo ' . escapeshellarg($backslash . $backslash)); ? Expected result: No matter the shell: \\ Actual result: -- If your /bin/sh is dash: \ If your /bin/sh is busybox: \\ Other shells: ?? -- Edit this bug report at https://bugs.php.net/bug.php?id=61706edit=1
Bug #61706 [Com]: escapeshellarg behaves inconsistently depending on shell
Edit report at https://bugs.php.net/bug.php?id=61706edit=1 ID: 61706 Comment by: phpbugs at personal dot formauri dot es Reported by:phpbugs at personal dot formauri dot es Summary:escapeshellarg behaves inconsistently depending on shell Status: Open Type: Bug Package:Program Execution Operating System: Linux, Unix, maybe OSX, NOT msw PHP Version:5.4Git-2012-04-12 (Git) Block user comment: N Private report: N New Comment: Patch here: http://www.formauri.es/personal/pgimeno/temp/escapeshellarg-bug-61706.patch Previous Comments: [2013-04-24 11:39:39] phpbugs at personal dot formauri dot es For extra background, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550399 Unlike what I thought at first, it seems to affect the shell's built-in echo command specifically. As noted in that bug, it also affects shells other than dash, including posh and mksh. I've had the problem with zsh as well. And as noted in that bug, dash is the default shell in many systems, and also in Ubuntu (see https://bugs.launchpad.net/ubuntu/+source/dash/+bug/259671 ). Debian also offers to install posh as the default /bin/sh. The consensus seems to be that that is not a bug in the shell, because the result of using backslashes in the shell's builtin echo is implementation-defined, and therefore it's PHP's responsibility to escape them properly, e.g. in the suggested way. On a different topic, one advantage of using the method of switching mode depending on the runs of should-be-escaped/should-not-be-escaped characters, as in the PHP example function shown above, is that the temporary storage requirement is reduced from 4n+2 as is now, or ~4 times the length, to ceil(5n/2), or ~2.5 times the length. That's because the worst case for the current behavior is a sequence of single-quotes which is written as ''\'''\'''\''...'\''' and the worst case for the proposed behaviour is alternating escaped/non-escaped characters as in 'x'\\'x'\\'x'\\...'x', therefore every 2 characters are turned into 5 with possibly an extra character at the end. [2012-04-13 00:51:55] zhanglijiu at gmail dot com My result is \\ my system is Mac OS SHould be bash [2012-04-12 22:22:04] phpbugs at personal dot formauri dot es Description: Depending on the shell, for shell internal commands the backslashes within single quotes are interpreted as escapes or are used verbatim. For example, in bash and in busybox: $ echo '\\' \\ But in dash: $ echo '\\' \ dash is frequently set as the default /bin/sh so this is a problem. More so since some programs need to get their input from stdin and therefore they need the use of 'echo' for input not coming from a file or being input from the console. To work around the backslash inconsistency among shells, backslashes should receive special treatment as quotes do, e.g. translate \ to '\\'. I was tempted of sending this as a security issue, but the scenarios where security could be in risk are too improbable for it to be a serious security concern. Ideally though, no unnecessary quotes should be used in the output string, e.g. escapeshellarg should convert '''abc\\'\ into \'\'\''abc'\'\\. Currently it converts '''abc\\'\ into ''\'''\'''\''abc\\'\''\' which exhibits the bug and is unnecessarily large. For backwards compatibility, maybe an extra argument should be added to also quote backslashes and use a new method of quoting. Here is a PHP function that implements the suggestions here, using strspn and strcspn to grab the longest spans that it can eat at a time of each kind (characters to escape / characters not to escape): http://www.formauri.es/personal/pgimeno/temp/sh_escape.phps (includes test suite). Test script: --- ?php $backslash = \\; system('echo ' . escapeshellarg($backslash . $backslash)); ? Expected result: No matter the shell: \\ Actual result: -- If your /bin/sh is dash: \ If your /bin/sh is busybox: \\ Other shells: ?? -- Edit this bug report at https://bugs.php.net/bug.php?id=61706edit=1
[PHP-BUG] Bug #61706 [NEW]: escapeshellarg behaves inconsistently depending on shell
From: Operating system: Linux, Unix, maybe OSX, NOT msw PHP version: 5.4Git-2012-04-12 (Git) Package: Program Execution Bug Type: Bug Bug description:escapeshellarg behaves inconsistently depending on shell Description: Depending on the shell, for shell internal commands the backslashes within single quotes are interpreted as escapes or are used verbatim. For example, in bash and in busybox: $ echo '\\' \\ But in dash: $ echo '\\' \ dash is frequently set as the default /bin/sh so this is a problem. More so since some programs need to get their input from stdin and therefore they need the use of 'echo' for input not coming from a file or being input from the console. To work around the backslash inconsistency among shells, backslashes should receive special treatment as quotes do, e.g. translate \ to '\\'. I was tempted of sending this as a security issue, but the scenarios where security could be in risk are too improbable for it to be a serious security concern. Ideally though, no unnecessary quotes should be used in the output string, e.g. escapeshellarg should convert '''abc\\'\ into \'\'\''abc'\'\\. Currently it converts '''abc\\'\ into ''\'''\'''\''abc\\'\''\' which exhibits the bug and is unnecessarily large. For backwards compatibility, maybe an extra argument should be added to also quote backslashes and use a new method of quoting. Here is a PHP function that implements the suggestions here, using strspn and strcspn to grab the longest spans that it can eat at a time of each kind (characters to escape / characters not to escape): http://www.formauri.es/personal/pgimeno/temp/sh_escape.phps (includes test suite). Test script: --- ?php $backslash = \\; system('echo ' . escapeshellarg($backslash . $backslash)); ? Expected result: No matter the shell: \\ Actual result: -- If your /bin/sh is dash: \ If your /bin/sh is busybox: \\ Other shells: ?? -- Edit bug report at https://bugs.php.net/bug.php?id=61706edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=61706r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=61706r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=61706r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=61706r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=61706r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=61706r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=61706r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=61706r=needscript Try newer version: https://bugs.php.net/fix.php?id=61706r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=61706r=support Expected behavior: https://bugs.php.net/fix.php?id=61706r=notwrong Not enough info: https://bugs.php.net/fix.php?id=61706r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=61706r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=61706r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=61706r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=61706r=dst IIS Stability: https://bugs.php.net/fix.php?id=61706r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=61706r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=61706r=float No Zend Extensions: https://bugs.php.net/fix.php?id=61706r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=61706r=mysqlcfg
#40114 [NEW]: mt_srand() generates the same sequences with consecutive seeds
From: Pedro Gimeno phpbugs at personal dot formauri dot es Operating system: any PHP version: 5.2.0 PHP Bug Type: Math related Bug description: mt_srand() generates the same sequences with consecutive seeds Description: When calling mt_srand with seed 0, the resulting sequence is the same as with seed 1; when calling it with seed 2, the sequence is the same as with seed 3, etc., generating the same sequences for even numbers as for these numbers + 1. The problem seems to come from this line: register php_uint32 x = (seed | 1U) 0xU, *s = BG(state); The | 1U is apparently there to force the seed being odd, due to the fact that the initialization uses a pure multiplicative linear-congruential generator. Replacing the line: *s++ = (x *= 69069U) 0xU); with e.g.: *s++ = (x *= 69069U, ++x) 0xU); should eliminate the requirement that the seed be odd. The generator X - (X*69069+1) mod 2**32 is the 'VAX generator', has decent short-term randomness properties and works fairly well for this purpose (Wikipedia's article about MT uses it). The pure multiplicative X - (X*69069) mod 2**32 is not so well studied and does not work well with all seeds. The seeding requirements of MT are just that not all elements are zero, which is guaranteed in this case. However, please consider using e.g. the algorithm in init_genrand() in http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/MT2002/CODES/mt19937ar.c instead. See justification in http://www.math.sci.hiroshima-u.ac.jp/~m-mat/MT/MT2002/emt19937ar.html. Reproduce code: --- ?php for ($i = 0; $i 10; $i++) { mt_srand($i); echo mt_rand(0, mt_getrandmax()), , , mt_rand(0, mt_getrandmax()), \n; } ? Expected result: All lines different. Actual result: -- Lines are equal by pairs. -- Edit bug report at http://bugs.php.net/?id=40114edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=40114r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=40114r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=40114r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=40114r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=40114r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=40114r=needtrace Need Reproduce Script:http://bugs.php.net/fix.php?id=40114r=needscript Try newer version:http://bugs.php.net/fix.php?id=40114r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=40114r=support Expected behavior:http://bugs.php.net/fix.php?id=40114r=notwrong Not enough info: http://bugs.php.net/fix.php?id=40114r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=40114r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=40114r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40114r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=40114r=dst IIS Stability:http://bugs.php.net/fix.php?id=40114r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=40114r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=40114r=float No Zend Extensions: http://bugs.php.net/fix.php?id=40114r=nozend MySQL Configuration Error:http://bugs.php.net/fix.php?id=40114r=mysqlcfg