Home Original page

PHP :: Bug #54391 :: escapeshellarg strip non-ascii characters

Bug #54391 escapeshellarg strip non-ascii characters
Submitted: 2011-03-26 15:12 UTC Modified: 2025-11-30 12:31 UTC
Votes:12
Avg. Score:4.2 ± 0.9
Reproduced:9 of 9 (100.0%)
Same Version:4 (44.4%)
Same OS:5 (55.6%)
From: c dot madmax at gmail dot com Assigned: bukka (profile)
Status: Assigned Package: Program Execution
PHP Version: any OS: any
Private report: No CVE-ID: None

 [2011-03-26 15:12 UTC] c dot madmax at gmail dot com

Description:
------------
escapeshellarg() strip non-ascii characters if the LANG environment variable is not set to somthing like LANG=*.ISO-8959-1 e.g. LANG=en_US.ISO-8959-1

The job of escapeshellarg() is only to escape characters and NOT to remove them!!! The manual say nothing about removing characters!!!

Removing characters can cause horrible results!!!

It should doesn't matter if a shell arg has a ISO-8959-1 charset or UTF-8 charset or any other charset, because it is possible that a filename has a ISO-8959-1 charset and a other filename has a UTF-8 charset!!!

escapeshellarg() should only look for quotes and escape them, and nothing else!!!

PS:
setlocale(LC_ALL, 'en_US.ISO-8959-1') and/or putenv('LANG=en_US.ISO-8959-1') dosn't fix this problem! And i think even if this work it's not good a solution!

Test script:
---------------
<?php

$path = escapeshellarg('/home/www-data/äöüÄÖÜß'); // ISO-8959-1 characters =  "\xE4\xF6\xFC\xC4\xD6\xDC\xDF" in hex format

shell_exec(sprintf('rm -fr %s', $path));

echo sprintf('%s removed', $path);

?>

Expected result:
----------------
The test script should remove the folder /home/www-data/äöüÄÖÜß and output:

'/home/www-data/äöüÄÖÜß' removed

Actual result:
--------------
The test script remove the folder /home/www-data/ and output

'/home/www-data/' removed

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2011-03-26 15:35 UTC] c dot madmax at gmail dot com

This is a different bug!

Bug 44945 is related to utf-8 strings, and the bug is fixed. escapeshellarg() don't remve valid utf-8 characters.

But escapeshellarg() remove ISO-8959-1 characters!

 [2013-02-03 23:54 UTC] me at paulofreitas dot me

Test script:
---------------
<?php

$filename = 'résumé.pdf';

var_dump(escapeshellarg($filename));
setlocale(LC_CTYPE, 'en_US.utf8');
var_dump(escapeshellarg($filename));

?>

Test result when executed from CLI:
---------------
string(14) "'résumé.pdf'"
string(14) "'résumé.pdf'"

Test result when executed from Apache:
---------------
// Executed from Apache
string(10) "'rsum.pdf'"
string(14) "'résumé.pdf'"

Which locale to use? Will it works cross-platform? Yeah, that's a very annoying unexpected behavior.

 [2015-02-03 07:01 UTC] yohgaki@php.net

-Operating System: All Debian and Ubuntu Versions +Operating System: any -PHP Version: 5.3.6 +PHP Version: any

 [2017-02-07 11:06 UTC] netvicious at gmail dot com

This bug seems to be on the limbo so much time.

I get here looking for a solution but it only guided me to found my solution.

For me it worked with a setlocale(LC_ALL, 'es_ES@euro'), it didn't worked with setlocale(LC_ALL, 'es_ES@iso-8859-1') and others but I think it should be a problem with the locales on the linux configuration.

Run a locale-gen in your machine and look which locales do you have installed on your machine, and use one of they.

 [2025-11-30 12:31 UTC] bukka@php.net

-Assigned To: +Assigned To: bukka