From: Operating system: Linux, Unix, maybe OSX, NOT msw PHP version: 5.4Git-2012-04-12 (Git) Package: Program Execution Bug Type: Bug Bug description:escapeshellarg behaves inconsistently depending on shell
Description: ------------ Depending on the shell, for shell internal commands the backslashes within single quotes are interpreted as escapes or are used verbatim. For example, in bash and in busybox: $ echo '\\' \\ But in dash: $ echo '\\' \ dash is frequently set as the default /bin/sh so this is a problem. More so since some programs need to get their input from stdin and therefore they need the use of 'echo' for input not coming from a file or being input from the console. To work around the backslash inconsistency among shells, backslashes should receive special treatment as quotes do, e.g. translate \ to '\\'. I was tempted of sending this as a security issue, but the scenarios where security could be in risk are too improbable for it to be a serious security concern. Ideally though, no unnecessary quotes should be used in the output string, e.g. escapeshellarg should convert '''abc\\'\ into \'\'\''abc'\\\\\'\\. Currently it converts '''abc\\'\ into ''\'''\'''\''abc\\'\''\' which exhibits the bug and is unnecessarily large. For backwards compatibility, maybe an extra argument should be added to also quote backslashes and use a new method of quoting. Here is a PHP function that implements the suggestions here, using strspn and strcspn to grab the longest spans that it can "eat" at a time of each kind (characters to escape / characters not to escape): http://www.formauri.es/personal/pgimeno/temp/sh_escape.phps (includes test suite). Test script: --------------- <?php $backslash = "\\"; system('echo ' . escapeshellarg($backslash . $backslash)); ?> Expected result: ---------------- No matter the shell: \\ Actual result: -------------- If your /bin/sh is dash: \ If your /bin/sh is busybox: \\ Other shells: ?? -- Edit bug report at https://bugs.php.net/bug.php?id=61706&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=61706&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=61706&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=61706&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=61706&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=61706&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=61706&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=61706&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=61706&r=needscript Try newer version: https://bugs.php.net/fix.php?id=61706&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=61706&r=support Expected behavior: https://bugs.php.net/fix.php?id=61706&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=61706&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=61706&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=61706&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=61706&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=61706&r=dst IIS Stability: https://bugs.php.net/fix.php?id=61706&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=61706&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=61706&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=61706&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=61706&r=mysqlcfg