From 9ca449e0a803cb9d1d40fd6b83f2da1e6a7b46d9 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Tue, 21 Jan 2020 10:05:33 +0100 Subject: Make quoting of cmd execution functions consistent While the `$command` passed to `proc_open()` had to be wrapped in double-quotes manually, that was implicitly done for all other program execution functions. This could easily introduce bugs and even security issues when switching from one to another program execution function. Furthermore we ensure that the additional quotes are always unwrapped regardless of what is passed as `$command` by passing the `/s` flag to cmd.exe. As it was, `shell_exec('path with spaces/program.exe')` did execute program.exe, but adding an argument (`shell_exec('path with spaces/program.exe -h)`) failed to execute program.exe, because cmd.exe stripped the additional quotes. While these changes obviously can cause BC breaks, we feel that in the long run the benefits of having consistent behavior for all program execution functions outweighs the drawbacks of potentially breaking some code now. --- TSRM/tsrm_win32.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'TSRM') diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c index 5287bd23d6..45cfbba7e5 100644 --- a/TSRM/tsrm_win32.c +++ b/TSRM/tsrm_win32.c @@ -478,12 +478,12 @@ TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd, return NULL; } - cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /c ")+2); + cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /s /c ")+2); if (!cmd) { return NULL; } - sprintf(cmd, "%s /c \"%s\"", TWG(comspec), command); + sprintf(cmd, "%s /s /c \"%s\"", TWG(comspec), command); cmdw = php_win32_cp_any_to_w(cmd); if (!cmdw) { free(cmd); -- cgit v1.2.1