Make quoting of cmd execution functions consistent

While the `$command` passed to `proc_open()` had to be wrapped in
double-quotes manually, that was implicitly done for all other
program execution functions.  This could easily introduce bugs and
even security issues when switching from one to another program
execution function.

Furthermore we ensure that the additional quotes are always
unwrapped regardless of what is passed as `$command` by passing
the `/s` flag to cmd.exe.  As it was, `shell_exec('path with
spaces/program.exe')` did execute program.exe, but adding an
argument (`shell_exec('path with spaces/program.exe -h)`) failed
to execute program.exe, because cmd.exe stripped the additional
quotes.

While these changes obviously can cause BC breaks, we feel that in
the long run the benefits of having consistent behavior for all
program execution functions outweighs the drawbacks of potentially
breaking some code now.

4 files changed, 10 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 7d7d86b102..f9a3a46761 100644
--- a/NEWS
+++ b/NEWS
@@ -108,6 +108,7 @@ PHP                                                                        NEWS
     filter). (kkopachev)
   . Fixed bug #78385 (parse_url() does not include 'query' when question mark
     is the last char). (Islam Israfilov)
+  . Made quoting of cmd execution functions consistent. (cmb)
 
 - tidy:
   . Removed the unused $use_include_path parameter from tidy_repair_string().
diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c
index 5287bd23d6..45cfbba7e5 100644
--- a/TSRM/tsrm_win32.c
+++ b/TSRM/tsrm_win32.c
@@ -478,12 +478,12 @@ TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd,
 		return NULL;
 	}
 
-	cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /c ")+2);
+	cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /s /c ")+2);
 	if (!cmd) {
 		return NULL;
 	}
 
-	sprintf(cmd, "%s /c \"%s\"", TWG(comspec), command);
+	sprintf(cmd, "%s /s /c \"%s\"", TWG(comspec), command);
 	cmdw = php_win32_cp_any_to_w(cmd);
 	if (!cmdw) {
 		free(cmd);
diff --git a/UPGRADING b/UPGRADING
index 5174a2e52f..785e89b69f 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -472,6 +472,11 @@ PHP 8.0 UPGRADE NOTES
 12. Windows Support
 ========================================
 
+- Standard:
+  . Program execution functions (proc_open(), exec(), popen() etc.) using the
+    shell now consistently execute `%comspec% /s /c "$commandline"`, which has
+    the same effect as executing `$commandline` (without additional quotes).
+
 - php-test-pack:
   . The test runner has been renamed from run-test.php to run-tests.php, to
     match its name in php-src.
diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
index e8ebfad6d7..6f3ddbea78 100644
--- a/ext/standard/proc_open.c
+++ b/ext/standard/proc_open.c
@@ -953,13 +953,13 @@ PHP_FUNCTION(proc_open)
 		wchar_t *cmdw2;
 
 
-		len = (sizeof(COMSPEC_NT) + sizeof(" /c ") + tmp_len + 1);
+		len = (sizeof(COMSPEC_NT) + sizeof(" /s /c ") + tmp_len + 3);
 		cmdw2 = (wchar_t *)malloc(len * sizeof(wchar_t));
 		if (!cmdw2) {
 			php_error_docref(NULL, E_WARNING, "Command conversion failed");
 			goto exit_fail;
 		}
-		ret = _snwprintf(cmdw2, len, L"%hs /c %s", COMSPEC_NT, cmdw);
+		ret = _snwprintf(cmdw2, len, L"%hs /s /c \"%s\"", COMSPEC_NT, cmdw);
 
 		if (-1 == ret) {
 			free(cmdw2);