Edit report at https://bugs.php.net/bug.php?id=61706&edit=1
ID: 61706
Comment by: zhanglijiu at gmail dot com
Reported by: phpbugs at personal dot formauri dot es
Summary: escapeshellarg behaves inconsistently depending on
shell
Status: Open
Type: Bug
Package: Program Execution
Operating System: Linux, Unix, maybe OSX, NOT msw
PHP Version: 5.4Git-2012-04-12 (Git)
Block user comment: N
Private report: N
New Comment:
My result is \\
my system is Mac OS
SHould be bash
Previous Comments:
------------------------------------------------------------------------
[2012-04-12 22:22:04] phpbugs at personal dot formauri dot es
Description:
------------
Depending on the shell, for shell internal commands the backslashes within
single quotes are interpreted as escapes or are used verbatim. For example, in
bash and in busybox:
$ echo '\\'
\\
But in dash:
$ echo '\\'
\
dash is frequently set as the default /bin/sh so this is a problem. More so
since some programs need to get their input from stdin and therefore they need
the use of 'echo' for input not coming from a file or being input from the
console.
To work around the backslash inconsistency among shells, backslashes should
receive special treatment as quotes do, e.g. translate \ to '\\'.
I was tempted of sending this as a security issue, but the scenarios where
security could be in risk are too improbable for it to be a serious security
concern.
Ideally though, no unnecessary quotes should be used in the output string, e.g.
escapeshellarg should convert '''abc\\'\ into \'\'\''abc'\\\\\'\\. Currently it
converts '''abc\\'\ into ''\'''\'''\''abc\\'\''\' which exhibits the bug and is
unnecessarily large.
For backwards compatibility, maybe an extra argument should be added to also
quote backslashes and use a new method of quoting.
Here is a PHP function that implements the suggestions here, using strspn and
strcspn to grab the longest spans that it can "eat" at a time of each kind
(characters to escape / characters not to escape):
http://www.formauri.es/personal/pgimeno/temp/sh_escape.phps (includes test
suite).
Test script:
---------------
<?php
$backslash = "\\";
system('echo ' . escapeshellarg($backslash . $backslash));
?>
Expected result:
----------------
No matter the shell:
\\
Actual result:
--------------
If your /bin/sh is dash:
\
If your /bin/sh is busybox:
\\
Other shells: ??
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=61706&edit=1
