diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-06-09 21:37:17 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-06-09 21:37:17 -0700 |
| commit | 563462fbf8c45c5fe54c6b215d6ec76b5b3f867c (patch) | |
| tree | d43b03d2cbd421fd2d127a4961df069db397955f /ext/standard/exec.c | |
| parent | e4aa5c0510fb3c8b41eb8a999105368599240214 (diff) | |
| download | php-git-563462fbf8c45c5fe54c6b215d6ec76b5b3f867c.tar.gz | |
Fixed bug #69646 (OS command injection vulnerability in escapeshellarg)
Diffstat (limited to 'ext/standard/exec.c')
| -rw-r--r-- | ext/standard/exec.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/ext/standard/exec.c b/ext/standard/exec.c index 71dfc7c361..60fd7ba1aa 100644 --- a/ext/standard/exec.c +++ b/ext/standard/exec.c @@ -383,6 +383,14 @@ PHPAPI zend_string *php_escape_shell_arg(char *str) } } #ifdef PHP_WIN32 + if (y > 0 && '\\' == cmd->val[y - 1]) { + int k = 0, n = y - 1; + for (; n >= 0 && '\\' == cmd->val[n]; n--, k++); + if (k % 2) { + cmd->val[y++] = '\\'; + } + } + cmd->val[y++] = '"'; #else cmd->val[y++] = '\''; |