From: brion at pobox dot com
Operating system: Mac OS X
PHP version: Irrelevant
PHP Bug Type: Documentation problem
Bug description: Inaccurate documentation about popen() escaping in safe_mode
Description:
This bug was reported some months ago about odd escaping in
popen() when safe_mode is on:
http://bugs.php.net/bug.php?id=32701
Arguments correctly escaped, as with escapeshellarg(), end
up being unexpectedly corrupted under safe_mode with the
addition of unexpected backslashes.
The bug was marked as BOGUS. If it this is the intended
behavior, the documentation needs to be modified to reflect
this. Currently the docs for popen() and several other
functions include only this caveat:
"With safe mode enabled, all words following the initial
command string are treated as a single argument. Thus, echo
y | echo x becomes echo "y | echo x"."
However that is *false*:
1) Multiple arguments are sent where separated by spaces.
2) Quotes seem to be understood, so multi-word arguments are
themselves passed intact.
3) In addition to this sensible behavior, many characters
have backslashes inserted before them, even if they are
inside already-quoted arguments.
Accurate documentation, and an explanation of how to get
parameters to the other program without corruption, would be
a huge help in making our programs work correctly under
safe_mode.
cf http://bugzilla.wikimedia.org/show_bug.cgi?id=3891#c13
Reproduce code:
---
=-'", "r");
print(stream_get_contents($r));
pclose($r);
?>
Expected result:
-=< Test >=-
Actual result:
--
-=\< Test \>=-
--
Edit bug report at http://bugs.php.net/?id=35161&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=35161&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=35161&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=35161&r=trysnapshot51
Fixed in CVS:http://bugs.php.net/fix.php?id=35161&r=fixedcvs
Fixed in release:http://bugs.php.net/fix.php?id=35161&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=35161&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=35161&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=35161&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=35161&r=support
Expected behavior: http://bugs.php.net/fix.php?id=35161&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=35161&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=35161&r=submittedtwice
register_globals:http://bugs.php.net/fix.php?id=35161&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=35161&r=php3
Daylight Savings:http://bugs.php.net/fix.php?id=35161&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=35161&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=35161&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=35161&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=35161&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=35161&r=mysqlcfg