php · Girgias · Feb 25, 2023 · Feb 9, 2023 · Feb 19, 2023
diff --git a/Zend/tests/bug40236.phpt b/Zend/tests/bug40236.phpt
@@ -6,8 +6,8 @@ if (extension_loaded("readline")) die("skip Test doesn't support readline");
 ?>
 --FILE--
 <?php
-$php = getenv('TEST_PHP_EXECUTABLE');
-$cmd = "\"$php\" -n -d memory_limit=4M -a \"".__DIR__."\"/bug40236.inc";
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
+$cmd = "$php -n -d memory_limit=4M -a \"".__DIR__."\"/bug40236.inc";
 echo `$cmd`;
 ?>
 --EXPECT--

diff --git a/Zend/tests/bug60978.phpt b/Zend/tests/bug60978.phpt
@@ -2,8 +2,7 @@
 Bug #60978 (exit code incorrect)
 --FILE--
 <?php
-$php = getenv('TEST_PHP_EXECUTABLE');
-exec($php . ' -n -r "exit(2);"', $output, $exit_code);
+exec(getenv('TEST_PHP_EXECUTABLE_ESCAPED') . ' -n -r "exit(2);"', $output, $exit_code);
 echo $exit_code;
 ?>
 --EXPECT--

diff --git a/ext/com_dotnet/tests/bug77578.phpt b/ext/com_dotnet/tests/bug77578.phpt
@@ -6,8 +6,8 @@ com_dotnet
 <?php
 // To actually be able to verify the crash during shutdown on Windows, we have
 // to execute a PHP subprocess, and check its exit status.
-$php = PHP_BINARY;
-$extension_dir = ini_get("extension_dir");
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
+$extension_dir = escapeshellarg(ini_get("extension_dir"));
 $script = <<<SCRIPT
 if (!extension_loaded('com_dotnet')) dl('com_dotnet');
 ini_set('com.autoregister_typelib', '1');

@@ -1,8 +1,10 @@
 --TEST--
 GH-7902 (mb_send_mail may delimit headers with LF only)
+--EXTENSIONS--
+mbstring
 --SKIPIF--
 <?php
-if (!extension_loaded("mbstring")) die("skip mbstring extension not available");
+if (str_contains(getcwd(), " ")) die("skip sendmail_path ini with spaces");
 ?>
 --INI--
 sendmail_path={MAIL:{PWD}/gh7902.eml}

@@ -1,8 +1,10 @@
 --TEST--
 Bug #79971 (special character is breaking the path in xml function)
+--EXTENSIONS--
+simplexml
 --SKIPIF--
 <?php
-if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+if (str_contains(getcwd(), ' ')) die('skip simplexml already escapes the path with spaces so this test does not work');
 ?>
 --FILE--
 <?php

@@ -18,6 +18,7 @@ internal_encoding=utf-8
 $item = "bug74589_新建文件夹"; // utf-8 string
 $dir = __DIR__ . DIRECTORY_SEPARATOR . $item;
 $test_file = $dir . DIRECTORY_SEPARATOR . "test.php";
+$test_file_escaped = escapeshellarg($test_file);
 
 mkdir($dir);
 
@@ -27,9 +28,9 @@ file_put_contents($test_file,
     var_dump(__FILE__);
     var_dump(__DIR__ === __DIR__);");
 
-$php = getenv('TEST_PHP_EXECUTABLE');
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
 
-echo shell_exec("$php -n $test_file");
+echo shell_exec("$php -n $test_file_escaped");
 
 ?>
 --EXPECTF--

@@ -6,22 +6,21 @@ output_handler=
 <?php
 
     $php = getenv('TEST_PHP_EXECUTABLE');
+    $php_escaped = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
     $tmpfile = tempnam(__DIR__, 'phpt');
     $args = ' -n ';
 
     /* Regular Data Test */
-    passthru($php . $args . ' -r " echo \"HELLO\"; "');
+    passthru($php_escaped . $args . ' -r " echo \"HELLO\"; "');
 
     echo "\n";
 
     /* Binary Data Test */
-
+    $cmd = $php_escaped . $args . ' -r ' . escapeshellarg("readfile(@getenv('TEST_PHP_EXECUTABLE'));");
     if (substr(PHP_OS, 0, 3) != 'WIN') {
-        $cmd = $php . $args . ' -r \"readfile(@getenv(\'\\\'\'TEST_PHP_EXECUTABLE\'\\\'\')); \"';
-        $cmd = $php . $args . ' -r \' passthru("'.$cmd.'"); \' > '.$tmpfile ;
+        $cmd = $php_escaped . $args . ' -r ' . escapeshellarg('passthru("'.$cmd.'");') . ' > '.escapeshellarg($tmpfile);
     } else {
-        $cmd = $php . $args . ' -r \"readfile(@getenv(\\\\\\"TEST_PHP_EXECUTABLE\\\\\\")); \"';
-        $cmd = $php . $args . ' -r " passthru(\''.$cmd.'\');" > '.$tmpfile ;
+        $cmd = $php_escaped . $args . ' -r ' . "\"passthru('".addslashes($cmd)."');\"" . ' > '.escapeshellarg($tmpfile);
     }
     exec($cmd);
 

@@ -7,9 +7,9 @@ variables_order=E
 $out = array();
 $status = -1;
 if (substr(PHP_OS, 0, 3) != 'WIN') {
-    exec($_ENV['TEST_PHP_EXECUTABLE'].' -n -r \'for($i=1;$i<=5000;$i++) print "$i\n";\' | tr \'\n\' \' \'', $out, $status);
+    exec($_ENV['TEST_PHP_EXECUTABLE_ESCAPED'].' -n -r \'for($i=1;$i<=5000;$i++) print "$i\n";\' | tr \'\n\' \' \'', $out, $status);
 } else {
-    exec($_ENV['TEST_PHP_EXECUTABLE'].' -n -r "for($i=1;$i<=5000;$i++) echo $i,\' \';"', $out, $status);
+    exec($_ENV['TEST_PHP_EXECUTABLE_ESCAPED'].' -n -r "for($i=1;$i<=5000;$i++) echo $i,\' \';"', $out, $status);
 }
 print_r($out);
 ?>

@@ -4,7 +4,7 @@ Bug #26938 (exec does not read consecutive long lines correctly)
 <?php
 $out = array();
 $status = -1;
-$php = getenv('TEST_PHP_EXECUTABLE');
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
 if (substr(PHP_OS, 0, 3) != 'WIN') {
     exec($php . ' -n -r \''
          . '$lengths = array(10,20000,10000,5,10000,3);'

@@ -2,7 +2,7 @@
 Bug #60120 (proc_open hangs when data in stdin/out/err is getting larger or equal to 2048)
 --SKIPIF--
 <?php
-$php = getenv('TEST_PHP_EXECUTABLE');
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
 if (!$php) {
     die("skip No php executable defined\n");
 }
@@ -12,11 +12,8 @@ if (!$php) {
 
 error_reporting(E_ALL);
 
-$php = getenv('TEST_PHP_EXECUTABLE');
-if (!$php) {
-    die("No php executable defined\n");
-}
-$cmd = 'php -r "fwrite(STDOUT, $in = file_get_contents(\'php://stdin\')); fwrite(STDERR, $in);"';
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
+$cmd = $php . ' -r "fwrite(STDOUT, $in = file_get_contents(\'php://stdin\')); fwrite(STDERR, $in);"';
 $descriptors = array(array('pipe', 'r'), array('pipe', 'w'), array('pipe', 'w'));
 $stdin = str_repeat('*', 2049 );
 

@@ -24,7 +24,8 @@ var_dump(rmdir("./mkdir-002"));
 var_dump(mkdir(__DIR__."/mkdir-002", 0777));
 var_dump(mkdir(__DIR__."/mkdir-002/subdir", 0777));
 $dirname = __DIR__."/mkdir-002";
-var_dump(`ls -l $dirname`);
+$dirname_escaped = escapeshellarg($dirname);
+var_dump(`ls -l $dirname_escaped`);
 var_dump(rmdir(__DIR__."/mkdir-002/subdir"));
 var_dump(rmdir(__DIR__."/mkdir-002"));
 

@@ -16,15 +16,16 @@ echo "-- Testing popen(): reading from the pipe --\n";
 $dirpath = $file_path."/popen_basic";
 mkdir($dirpath);
 touch($dirpath."/popen_basic.tmp");
-define('CMD', "ls $dirpath");
+define('CMD', "ls " . escapeshellarg($dirpath));
 $file_handle = popen(CMD, 'r');
 fpassthru($file_handle);
 pclose($file_handle);
 
 echo "-- Testing popen(): reading from a file using 'cat' command --\n";
 create_files($dirpath, 1, "text_with_new_line", 0755, 100, "w", "popen_basic", 1, "bytes");
 $filename = $dirpath."/popen_basic1.tmp";
-$command = "cat $filename";
+$filename_escaped = escapeshellarg($filename);
+$command = "cat $filename_escaped";
 $file_handle = popen($command, "r");
 $return_value =  fpassthru($file_handle);
 echo "\n";

@@ -4,7 +4,7 @@ proc_open() regression test 1 (proc_open() leak)
 <?php
 $pipes = array(1, 2, 3);
 $orig_pipes = $pipes;
-$php = getenv('TEST_PHP_EXECUTABLE');
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
 if ($php === false) {
     die("no php executable defined");
 }

@@ -49,7 +49,7 @@ CODE;
 $code_fn = "code.php";
 file_put_contents($code_fn, $code);
 
-print(shell_exec(getenv('TEST_PHP_EXECUTABLE') . " -n -d default_charset=cp1251 -f code.php"));
+print(shell_exec(getenv('TEST_PHP_EXECUTABLE_ESCAPED') . " -n -d default_charset=cp1251 -f code.php"));
 
 chdir($old_cwd);
 

@@ -47,7 +47,7 @@ CODE;
 $code_fn = "code.php";
 file_put_contents($code_fn, $code);
 
-print(shell_exec(getenv('TEST_PHP_EXECUTABLE') . " -nf code.php"));
+print(shell_exec(getenv('TEST_PHP_EXECUTABLE_ESCAPED') . " -nf code.php"));
 
 chdir($old_cwd);
 

@@ -24,7 +24,7 @@ SCRIPT;
 $script = __DIR__ . DIRECTORY_SEPARATOR . "arginfo.php";
 file_put_contents($script, $helper_script);
 
-$cmd =  PHP_BINARY . " " . $script . " "  . escapeshellarg($a) . " " . escapeshellarg($b);
+$cmd = getenv('TEST_PHP_EXECUTABLE_ESCAPED') . " " . escapeshellarg($script) . " "  . escapeshellarg($a) . " " . escapeshellarg($b);
 
 system($cmd);
 

@@ -5,9 +5,10 @@ Bug #70018 (exec does not strip all whitespace)
 $output = array();
 
 $test_fl = __DIR__ . DIRECTORY_SEPARATOR . md5(uniqid());
+$test_fl_escaped = escapeshellarg($test_fl);
 file_put_contents($test_fl, '<?php echo "abc\f\n \n";');
 
-exec(PHP_BINARY . " -n $test_fl", $output);
+exec(getenv('TEST_PHP_EXECUTABLE_ESCAPED') . " -n $test_fl_escaped", $output);
 
 var_dump($output);
 

@@ -7,9 +7,10 @@ if (!function_exists("proc_open")) echo "skip proc_open() is not available";
 --FILE--
 <?php
 
-$php = PHP_BINARY;
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
 
 $f = __DIR__ . DIRECTORY_SEPARATOR . "proc_only_mb0.php";
+$f_escaped = escapeshellarg($f);
 file_put_contents($f,'<?php var_dump($argv); ?>');
 
 $ds = array(
@@ -19,7 +20,7 @@ $ds = array(
         );
 
 $p = proc_open(
-        "$php -n $f テストマルチバイト・パス füße карамба",
+        "$php -n $f_escaped テストマルチバイト・パス füße карамба",
         $ds,
         $pipes,
         NULL,

@@ -7,9 +7,10 @@ if (!function_exists("proc_open")) echo "skip proc_open() is not available";
 --FILE--
 <?php
 
-$php = PHP_BINARY;
+$php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
 
 $f = __DIR__ . DIRECTORY_SEPARATOR . "proc_only_mb1.php";
+$f_escaped = escapeshellarg($f);
 file_put_contents($f,'<?php var_dump($argv); ?>');
 
 $ds = array(
@@ -19,7 +20,7 @@ $ds = array(
         );
 
 $p = proc_open(
-        "$php -n $f テストマルチバイト・パス füße карамба",
+        "$php -n $f_escaped テストマルチバイト・パス füße карамба",
         $ds,
         $pipes
         );

@@ -7,8 +7,8 @@ for ($i = 3; $i<= 30; $i++) {
     $spec[$i] = array('pipe', 'w');
 }
 
-$php = getenv("TEST_PHP_EXECUTABLE");
-$callee = __DIR__ . "/proc_open_pipes_sleep.inc";
+$php = getenv("TEST_PHP_EXECUTABLE_ESCAPED");
+$callee = escapeshellarg(__DIR__ . "/proc_open_pipes_sleep.inc");
 proc_open("$php -n $callee", $spec, $pipes);
 
 var_dump(count($spec));

@@ -5,8 +5,8 @@ proc_open() with no pipes
 
 $spec = array();
 
-$php = getenv("TEST_PHP_EXECUTABLE");
-$callee = __DIR__ . "/proc_open_pipes_sleep.inc";
+$php = getenv("TEST_PHP_EXECUTABLE_ESCAPED");
+$callee = escapeshellarg(__DIR__ . "/proc_open_pipes_sleep.inc");
 proc_open("$php -n $callee", $spec, $pipes);
 
 var_dump(count($spec));

@@ -7,25 +7,26 @@ for ($i = 3; $i<= 5; $i++) {
     $spec[$i] = array('pipe', 'w');
 }
 
-$php = getenv("TEST_PHP_EXECUTABLE");
+$php = getenv("TEST_PHP_EXECUTABLE_ESCAPED");
 $callee = __DIR__ . "/proc_open_pipes_sleep.inc";
+$callee_escaped = escapeshellarg($callee);
 
 $spec[$i] = array('pi');
-proc_open("$php -n $callee", $spec, $pipes);
+proc_open("$php -n $callee_escaped", $spec, $pipes);
 
 $spec[$i] = 1;
 try {
-    proc_open("$php -n $callee", $spec, $pipes);
+    proc_open("$php -n $callee_escaped", $spec, $pipes);
 } catch (ValueError $exception) {
     echo $exception->getMessage() . "\n";
 }
 
 $spec[$i] = array('pipe', "test");
-proc_open("$php -n $callee", $spec, $pipes);
+proc_open("$php -n $callee_escaped", $spec, $pipes);
 var_dump($pipes);
 
 $spec[$i] = array('file', "test", "z");
-proc_open("$php -n $callee", $spec, $pipes);
+proc_open("$php -n $callee_escaped", $spec, $pipes);
 var_dump($pipes);
 
 echo "END\n";

@@ -3,14 +3,14 @@ php_ini_loaded_file() function
 --FILE--
 <?php
     $inifile = __DIR__.DIRECTORY_SEPARATOR.'loaded.ini';
-    $php = '"'.getenv('TEST_PHP_EXECUTABLE').'"';
+    $php = getenv('TEST_PHP_EXECUTABLE_ESCAPED');
     $code = '"var_dump(php_ini_loaded_file());"';
 
     // No ini file
     passthru($php.' -n -r '.$code);
 
     // Specified ini file
-    passthru($php.' -c "'.$inifile.'" -r '.$code);
+    passthru($php.' -c '.escapeshellarg($inifile).' -r '.$code);
 ?>
 --EXPECTREGEX--
 bool\(false\)

@@ -3,7 +3,7 @@ php_ini_scanned_files() function
 --FILE--
 <?php
     $inifile = __DIR__.DIRECTORY_SEPARATOR.'loaded.ini';
-    $php = sprintf('"%s" -c "%s"', getenv('TEST_PHP_EXECUTABLE'), $inifile);
+    $php = sprintf('%s -c %s', getenv('TEST_PHP_EXECUTABLE_ESCAPED'), escapeshellarg($inifile));
     $scandir = __DIR__.DIRECTORY_SEPARATOR.'scandir';
 
     // Empty env value disables any config option

@@ -3,7 +3,7 @@ Bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without new
 --FILE--
 <?php
 ob_start();
-system(getenv('TEST_PHP_EXECUTABLE') . ' -n -r "echo str_repeat(\".\", 4095);"');
+system(getenv('TEST_PHP_EXECUTABLE_ESCAPED') . ' -n -r "echo str_repeat(\".\", 4095);"');
 var_dump(strlen(ob_get_clean()));
 ?>
 --EXPECT--

@@ -2,17 +2,16 @@
 Bug #46024 stream_select() doesn't return the correct number
 --SKIPIF--
 <?php
-if (!getenv('TEST_PHP_EXECUTABLE')) die("skip TEST_PHP_EXECUTABLE not defined");
+if (!getenv('TEST_PHP_EXECUTABLE_ESCAPED')) die("skip TEST_PHP_EXECUTABLE_ESCAPED not defined");
 // Terminating the process may cause a bailout while writing out the phpinfo,
 // which may leak a temporary hash table. This does not seems worth fixing.
 if (getenv('SKIP_ASAN')) die("skip Test may leak");
 ?>
 --FILE--
 <?php
-$php = realpath(getenv('TEST_PHP_EXECUTABLE'));
 $pipes = array();
 $proc = proc_open(
-    "$php -n -i"
+    getenv('TEST_PHP_EXECUTABLE_ESCAPED') . " -n -i"
     ,array(0 => array('pipe', 'r'), 1 => array('pipe', 'w'))
     ,$pipes, __DIR__, array(), array()
 );

@@ -17,6 +17,7 @@ server
 
 $srv_addr = "tcp://127.0.0.1:8964";
 $srv_fl = __DIR__ . "/bug70198_svr_" . md5(uniqid()) . ".php";
+$srv_fl_escaped = escapeshellarg($srv_fl);
 $srv_fl_cont = <<<SRV
 <?php
 \$socket = stream_socket_server('$srv_addr', \$errno, \$errstr);
@@ -35,7 +36,7 @@ if (!\$socket) {
 SRV;
 file_put_contents($srv_fl, $srv_fl_cont);
 $dummy0 = $dummy1 = array();
-$srv_proc = proc_open(PHP_BINARY . " -n $srv_fl", $dummy0, $dummy1);
+$srv_proc = proc_open(getenv('TEST_PHP_EXECUTABLE_ESCAPED') . " -n $srv_fl_escaped", $dummy0, $dummy1);
 
 $i = 0;
 /* wait a bit for the server startup */