ID: 43784 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Assigned Bug Type: Program Execution Operating System: Windows PHP Version: 6CVS-2008-01-08 (snap) -Assigned To: +Assigned To: iliaa New Comment:
I'm assigning it to you ilia, as you made the original patch as well. Previous Comments: ------------------------------------------------------------------------ [2008-01-08 09:10:01] [EMAIL PROTECTED] This is because of the following commit: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.84.2.13&r2=1.84.2.14 which was a reaction to a security bulletin. However, just stripping out the % is not the solution, as it can only be used to access env vars *outside* strings, and with a matching %. However, just stripping them out is not a good solution as it hinders real life use of it like in this example. ------------------------------------------------------------------------ [2008-01-08 09:04:37] [EMAIL PROTECTED] Description: ------------ escapeshellarg(string) removes all % out of it. This results in a non working version for arguments that requires % for formating. ie. imagick identify.exe identify -format "%m" myimage.png Reproduce code: --------------- <?php echo escapeshellarg('%m %f %v'); Expected result: ---------------- '%m %f %v' Actual result: -------------- ' m f v' ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=43784&edit=1
