From a621781fdb733167f37027f02bf612696f892d07 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmb@php.net>
Date: Wed, 24 Jun 2015 00:15:55 +0200
Subject: Fixed bug #69768 (escapeshell*() doesn't cater to !)

When delayed variable substitution is enabled (can be set in the
Registry, for instance), !ENV! works similar to %ENV%, and so ! should
be escaped like %.
---
 ext/standard/exec.c                                                  | 4 +++-
 ext/standard/tests/general_functions/escapeshellarg_basic-win32.phpt | 2 ++
 ext/standard/tests/general_functions/escapeshellcmd-win32.phpt       | 5 ++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index d0b1e01e16..aa487351ca 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -281,9 +281,10 @@ PHPAPI char *php_escape_shell_cmd(char *str)
 				break;
 #else
 			/* % is Windows specific for enviromental variables, ^%PATH% will 
-				output PATH whil ^%PATH^% not. escapeshellcmd will escape all %.
+				output PATH while ^%PATH^% will not. escapeshellcmd will escape all % and !.
 			*/
 			case '%':
+			case '!':
 			case '"':
 			case '\'':
 #endif
@@ -366,6 +367,7 @@ PHPAPI char *php_escape_shell_arg(char *str)
 #ifdef PHP_WIN32
 		case '"':
 		case '%':
+		case '!':
 			cmd[y++] = ' ';
 			break;
 #else
diff --git a/ext/standard/tests/general_functions/escapeshellarg_basic-win32.phpt b/ext/standard/tests/general_functions/escapeshellarg_basic-win32.phpt
index 888005633d..d97c1a956b 100644
--- a/ext/standard/tests/general_functions/escapeshellarg_basic-win32.phpt
+++ b/ext/standard/tests/general_functions/escapeshellarg_basic-win32.phpt
@@ -18,6 +18,7 @@ echo "Simple testcase for escapeshellarg() function\n";
 var_dump(escapeshellarg("Mr O'Neil"));
 var_dump(escapeshellarg("Mr O\'Neil"));
 var_dump(escapeshellarg("%FILENAME"));
+var_dump(escapeshellarg("!FILENAME"));
 var_dump(escapeshellarg(""));
 
 echo "Done\n";
@@ -27,5 +28,6 @@ Simple testcase for escapeshellarg() function
 string(11) ""Mr O'Neil""
 string(12) ""Mr O\'Neil""
 string(11) "" FILENAME""
+string(11) "" FILENAME""
 string(2) """"
 Done
\ No newline at end of file
diff --git a/ext/standard/tests/general_functions/escapeshellcmd-win32.phpt b/ext/standard/tests/general_functions/escapeshellcmd-win32.phpt
index 9fcb99188c..7d2a029b47 100644
--- a/ext/standard/tests/general_functions/escapeshellcmd-win32.phpt
+++ b/ext/standard/tests/general_functions/escapeshellcmd-win32.phpt
@@ -17,7 +17,8 @@ $data = array(
 	'%^',
 	'#&;`|*?',
 	'~<>\\',
-	'%NOENV%'
+	'%NOENV%',
+	'!NOENV!'
 );
 
 $count = 1;
@@ -46,4 +47,6 @@ string(14) "^#^&^;^`^|^*^?"
 string(8) "^~^<^>^\"
 -- Test 8 --
 string(9) "^%NOENV^%"
+-- Test 9 --
+string(9) "^!NOENV^!"
 Done
-- 
cgit v1.2.1