ID: 43784 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Assigned Bug Type: Program Execution Operating System: Windows PHP Version: 6CVS-2008-01-08 (snap) -Assigned To: iliaa +Assigned To: scottmac New Comment:
Assigned to Scott to see if this problem can't be solved with the one describe in #43261 Previous Comments: ------------------------------------------------------------------------ [2008-01-08 09:10:24] [EMAIL PROTECTED] I'm assigning it to you ilia, as you made the original patch as well. ------------------------------------------------------------------------ [2008-01-08 09:10:01] [EMAIL PROTECTED] This is because of the following commit: http://cvs.php.net/viewvc.cgi/php-src/ext/standard/exec.c?r1=1.84.2.13&r2=1.84.2.14 which was a reaction to a security bulletin. However, just stripping out the % is not the solution, as it can only be used to access env vars *outside* strings, and with a matching %. However, just stripping them out is not a good solution as it hinders real life use of it like in this example. ------------------------------------------------------------------------ [2008-01-08 09:04:37] [EMAIL PROTECTED] Description: ------------ escapeshellarg(string) removes all % out of it. This results in a non working version for arguments that requires % for formating. ie. imagick identify.exe identify -format "%m" myimage.png Reproduce code: --------------- <?php echo escapeshellarg('%m %f %v'); Expected result: ---------------- '%m %f %v' Actual result: -------------- ' m f v' ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=43784&edit=1
