ID: 32701 Comment by: 5Wupdd51ogZj7Lm8B at anime dot net Reported By: kosmo at miechow dot com Status: Open Bug Type: Feature/Change Request Operating System: Linux PHP Version: 5.0.4 New Comment:
Is there any link to more detailed info about safe_mode going away, and how php is handling security in the next release? Previous Comments: ------------------------------------------------------------------------ [2005-11-09 12:57:50] [EMAIL PROTECTED] It's still not bug but a change request. Reclassified. You can provide a patch if you wish. The fact is that we're going to remove the whole "safe-mode" anyway, so you're basically wasting your time. This is not the only thing that goes wrong with it.. ------------------------------------------------------------------------ [2005-11-09 12:09:52] [EMAIL PROTECTED] It works bad. There's no way to echo '-=< Test >=-' in safe_mode. No characters inside single quotes should be escaped by php_escape_shell_cmd() as they have no special meaning. I can prepare a patch for it if it will be accepted. ------------------------------------------------------------------------ [2005-04-14 09:51:57] [EMAIL PROTECTED] This is how it works. No bug here. ------------------------------------------------------------------------ [2005-04-14 09:22:15] kosmo at miechow dot com Description: ------------ In safe-mode popen() is escaping command line by calling php_escape_shell_cmd(). This funcion escaping command line, and changing valid command arguments. IMHO there should be any way to disable this escaping and run in safe-mode. Reproduce code: --------------- <?php $r = popen("echo '-=< Test >=-'", "r"); print(stream_get_contents($r)); pclose($r); ?> Expected result: ---------------- -=< Test >=- Actual result: -------------- -=\< Test \>=- ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=32701&edit=1