bug symfony#10479 [2.3][Process] Fix escaping on Windows (romainneutron)

fabpot · fabpot · commit 1e9e8afa5da7 · 2014-03-19T07:22:00.000+01:00
This PR was merged into the 2.3 branch. Discussion ---------- [2.3][Process] Fix escaping on Windows | Q | A | ------------- | --- | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | License | MIT Windows escaping is broken since the last merges. After digging more on Windows escaping, I realised some things: - We forbid environment variable expansion by escaping `%APPDATA%` to `^%"APPDATA"^%` - We explicitly ask for variable expansion at runtime (running the command line with the [`/V:ON`](https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Process/Process.php#L235) flag). Running a command containing `!APPDATA!` will be escaped and expanded (our previous rule is easily overriden) - On platform that are not windows, we use strong escaping that prevents any variable expansion (`$PATH` will be escaped to `'$PATH'` that is not interpreted as the current PATH) We have three possibilities: - Keep this behavior as this. - Prefer a consistent API and use a strong escaping strategy everywhere, but it would result in a BC break (see symfony#8975). - Allow environment variable expansion and escape `%APPDATA%` to `"%APPDATA%"` Any thoughts about this ? Commits ------- 0f65f90 [Process] Fix escaping on Windows
diff --git a/src/Symfony/Component/Process/ProcessUtils.php b/src/Symfony/Component/Process/ProcessUtils.php
@@ -47,20 +47,18 @@ public static function escapeArgument($argument)
 
             $escapedArgument = '';
             $quote =  false;
-            foreach (preg_split('/([%"])/i', $argument, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE) as $part) {
+            foreach (preg_split('/(")/i', $argument, -1, PREG_SPLIT_NO_EMPTY | PREG_SPLIT_DELIM_CAPTURE) as $part) {
                 if ('"' === $part) {
                     $escapedArgument .= '\\"';
-                } elseif ('%' === $part) {
-                    $escapedArgument .= '^%';
+                } elseif (self::isSurroundedBy($part, '%')) {
+                    // Avoid environment variable expansion
+                    $escapedArgument .= '^%"'.substr($part, 1, -1).'"^%';
                 } else {
+                    // escape trailing backslash
                     if ('\\' === substr($part, -1)) {
                         $part .= '\\';
                     }
-                    $part = escapeshellarg($part);
-                    if ('"' === $part[0] && '"' === $part[strlen($part) - 1]) {
-                        $part = substr($part, 1, -1);
-                        $quote = true;
-                    }
+                    $quote = true;
                     $escapedArgument .= $part;
                 }
             }
@@ -73,4 +71,9 @@ public static function escapeArgument($argument)
 
         return escapeshellarg($argument);
     }
+
+    private static function isSurroundedBy($arg, $char)
+    {
+        return 2 < strlen($arg) && $char === $arg[0] && $char === $arg[strlen($arg) - 1];
+    }
 }
diff --git a/src/Symfony/Component/Process/Tests/ProcessBuilderTest.php b/src/Symfony/Component/Process/Tests/ProcessBuilderTest.php
@@ -142,13 +142,13 @@ public function testPrefixIsPrependedToAllGeneratedProcess()
 
     public function testShouldEscapeArguments()
     {
-        $pb = new ProcessBuilder(array('%path%', 'foo " bar'));
+        $pb = new ProcessBuilder(array('%path%', 'foo " bar', '%baz%baz'));
         $proc = $pb->getProcess();
 
         if (defined('PHP_WINDOWS_VERSION_BUILD')) {
-            $this->assertSame('^%"path"^% "foo "\\"" bar"', $proc->getCommandLine());
+            $this->assertSame('^%"path"^% "foo \\" bar" "%baz%baz"', $proc->getCommandLine());
         } else {
-            $this->assertSame("'%path%' 'foo \" bar'", $proc->getCommandLine());
+            $this->assertSame("'%path%' 'foo \" bar' '%baz%baz'", $proc->getCommandLine());
         }
     }
 
diff --git a/src/Symfony/Component/Process/Tests/ProcessUtilsTest.php b/src/Symfony/Component/Process/Tests/ProcessUtilsTest.php
@@ -30,7 +30,7 @@ public function dataArguments()
                 array('"\"php\" \"-v\""', '"php" "-v"'),
                 array('"foo bar"', 'foo bar'),
                 array('^%"path"^%', '%path%'),
-                array('"<|>"\\"" "\\""\'f"', '<|>" "\'f'),
+                array('"<|>\\" \\"\'f"', '<|>" "\'f'),
                 array('""', ''),
                 array('"with\trailingbs\\\\"', 'with\trailingbs\\'),
             );

Original file line number	Diff line number	Diff line change
`@@ -142,13 +142,13 @@ public function testPrefixIsPrependedToAllGeneratedProcess()`
`142`	`142`
`143`	`143`	`public function testShouldEscapeArguments()`
`144`	`144`	`{`
`145`		`- $pb = new ProcessBuilder(array('%path%', 'foo " bar'));`
	`145`	`+ $pb = new ProcessBuilder(array('%path%', 'foo " bar', '%baz%baz'));`
`146`	`146`	`$proc = $pb->getProcess();`
`147`	`147`
`148`	`148`	`if (defined('PHP_WINDOWS_VERSION_BUILD')) {`
`149`		`- $this->assertSame('^%"path"^% "foo "\\"" bar"', $proc->getCommandLine());`
	`149`	`+ $this->assertSame('^%"path"^% "foo \\" bar" "%baz%baz"', $proc->getCommandLine());`
`150`	`150`	`} else {`
`151`		`- $this->assertSame("'%path%' 'foo \" bar'", $proc->getCommandLine());`
	`151`	`+ $this->assertSame("'%path%' 'foo \" bar' '%baz%baz'", $proc->getCommandLine());`
`152`	`152`	`}`
`153`	`153`	`}`
`154`	`154`