Req #32701 [Opn->Csd]: Safe-mode popen(): escaping problem

Sat, 02 Mar 2013 10:39:08 -0800 

Edit report at https://bugs.php.net/bug.php?id=32701&edit=1

 ID:                 32701
 Updated by:         re...@php.net
 Reported by:        kosmo at miechow dot com
 Summary:            Safe-mode popen(): escaping problem
-Status:             Open
+Status:             Closed
 Type:               Feature/Change Request
-Package:            Feature/Change Request
+Package:            *General Issues
 Operating System:   Linux
 PHP Version:        5.0.4
-Assigned To:        
+Assigned To:        reeze
 Block user comment: N
 Private report:     N

 New Comment:

Safe mode was gone.


Previous Comments:
------------------------------------------------------------------------
[2005-11-13 02:31:42] 5Wupdd51ogZj7Lm8B at anime dot net

Is there any link to more detailed info about safe_mode going away, and how php 
is handling security in the next release?

------------------------------------------------------------------------
[2005-11-09 12:57:50] sni...@php.net

It's still not bug but a change request. Reclassified.

You can provide a patch if you wish. The fact is that we're going to remove the 
whole "safe-mode" anyway, so you're basically wasting your time. This is not 
the only thing that goes wrong with it..



------------------------------------------------------------------------
[2005-11-09 12:09:52] vr...@php.net

It works bad. There's no way to echo '-=< Test >=-' in safe_mode. No characters 
inside single quotes should be escaped by php_escape_shell_cmd() as they have 
no special meaning.

I can prepare a patch for it if it will be accepted.

------------------------------------------------------------------------
[2005-04-14 09:51:57] sni...@php.net

This is how it works. No bug here.


------------------------------------------------------------------------
[2005-04-14 09:22:15] kosmo at miechow dot com

Description:
------------
In safe-mode popen() is escaping command line by calling 
php_escape_shell_cmd(). This funcion escaping command line,
and changing valid command arguments. IMHO there should be any way to disable 
this escaping and run in safe-mode.

Reproduce code:
---------------
<?php
$r = popen("echo '-=< Test >=-'", "r");
print(stream_get_contents($r));
pclose($r);
?>


Expected result:
----------------
-=< Test >=-

Actual result:
--------------
-=\< Test \>=-


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=32701&edit=1

Reply via email to