Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escapeshellcmd ignores non asci chars and japanese chars with debian 12 and php 8.2.26 #17143

Open
AbhilashKyatham opened this issue Dec 13, 2024 · 5 comments
Open

Escapeshellcmd ignores non asci chars and japanese chars with debian 12 and php 8.2.26 #17143

AbhilashKyatham opened this issue Dec 13, 2024 · 5 comments
Labels
Bug Extension: standard Status: Needs Feedback

Comments

@AbhilashKyatham
Copy link

Description

The following code:

if (false == setlocale(LC_CTYPE, "en_US.UTF-8")) {
	    $aLogger->err( "failed locale ");
	}
	// prepare the escaped string
	//$escapedArgs = utf8SafeEscapeShellCmd($args);//working
	$escapedArgs = escapeshellcmd($args);
<?php

Resulted in this output:

ignores non ascii chars and Japanese chars

But I expected this output instead:

it should handle all the chars.same code  is working fine in debian 9 and php 7.0.33

PHP Version

PHP 8.2.26

Operating System

debian 12
@AbhilashKyatham
Copy link
Author

only difference i see is in debian 12 locale is coming as c.utf_8 but in debian 9 it is en_US.UTF-8

@cmb69
Copy link
Member

cmb69 commented Dec 13, 2024

only difference i see is in debian 12 locale is coming as c.utf_8 but in debian 9 it is en_US.UTF-8

Did your setlocale() call work? (I can't read the logs)

@cmb69
Copy link
Member

cmb69 commented Dec 13, 2024

Also note that PHP 8.2 won't receive any regular bugfixes, so please check with PHP 8.3 or 8.4.

@AbhilashKyatham
Copy link
Author

AbhilashKyatham commented Dec 13, 2024
edited
Loading

only difference i see is in debian 12 locale is coming as c.utf_8 but in debian 9 it is en_US.UTF-8

Did your setlocale() call work? (I can't read the logs)

yes, it worked and system locale is also updated to en_US.UTF-8.
i see similar issue here : php/doc-en#3052 but no solution.
if i am using my own function it works fine.
function escapeshellcmdInternal($args) {
// List of characters to escape, leaving multibyte UTF-8 intact
$unsafeChars = ['&', '#', ';', '`', '|', '*', '?', '~', '<', '>', '^', '(', ')', '[', ']', '{', '}', '$', '\'];
$pattern = '/([' . preg_quote(implode('', $unsafeChars), '/') . '])/u';

return preg_replace($pattern, '\\\\$1', $args);

}
is my character encoding affecting escapeShellcmd function or debian12 because of C.UTF-8

@cmb69
Copy link
Member

cmb69 commented Dec 13, 2024

The point is that escapeshellcmd() is supposed to ignore characters which are invalid for the current LC_CTYPE (that's a security measure; invalid characters can cause all kinds of issues).

Anyway, please provide an SSCCE, something like https://3v4l.org/4WIW6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Extension: standard Status: Needs Feedback
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cmb69 @AbhilashKyatham