Make quoting of cmd execution functions consistent

cmb69 · cmb69 · commit 9ca449e0a803 · 2020-02-17T23:17:17.000+01:00
While the `$command` passed to `proc_open()` had to be wrapped in
double-quotes manually, that was implicitly done for all other
program execution functions.  This could easily introduce bugs and
even security issues when switching from one to another program
execution function.

Furthermore we ensure that the additional quotes are always
unwrapped regardless of what is passed as `$command` by passing
the `/s` flag to cmd.exe.  As it was, `shell_exec('path with
spaces/program.exe')` did execute program.exe, but adding an
argument (`shell_exec('path with spaces/program.exe -h)`) failed
to execute program.exe, because cmd.exe stripped the additional
quotes.

While these changes obviously can cause BC breaks, we feel that in
the long run the benefits of having consistent behavior for all
program execution functions outweighs the drawbacks of potentially
breaking some code now.
diff --git a/NEWS b/NEWS
@@ -108,6 +108,7 @@ PHP                                                                        NEWS
     filter). (kkopachev)
   . Fixed bug #78385 (parse_url() does not include 'query' when question mark
     is the last char). (Islam Israfilov)
+  . Made quoting of cmd execution functions consistent. (cmb)
 
 - tidy:
   . Removed the unused $use_include_path parameter from tidy_repair_string().
diff --git a/TSRM/tsrm_win32.c b/TSRM/tsrm_win32.c
@@ -478,12 +478,12 @@ TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd,
 		return NULL;
 	}
 
-	cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /c ")+2);
+	cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /s /c ")+2);
 	if (!cmd) {
 		return NULL;
 	}
 
-	sprintf(cmd, "%s /c \"%s\"", TWG(comspec), command);
+	sprintf(cmd, "%s /s /c \"%s\"", TWG(comspec), command);
 	cmdw = php_win32_cp_any_to_w(cmd);
 	if (!cmdw) {
 		free(cmd);
diff --git a/UPGRADING b/UPGRADING
@@ -472,6 +472,11 @@ PHP 8.0 UPGRADE NOTES
 12. Windows Support
 ========================================
 
+- Standard:
+  . Program execution functions (proc_open(), exec(), popen() etc.) using the
+    shell now consistently execute `%comspec% /s /c "$commandline"`, which has
+    the same effect as executing `$commandline` (without additional quotes).
+
 - php-test-pack:
   . The test runner has been renamed from run-test.php to run-tests.php, to
     match its name in php-src.
diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
@@ -953,13 +953,13 @@ PHP_FUNCTION(proc_open)
 		wchar_t *cmdw2;
 
 
-		len = (sizeof(COMSPEC_NT) + sizeof(" /c ") + tmp_len + 1);
+		len = (sizeof(COMSPEC_NT) + sizeof(" /s /c ") + tmp_len + 3);
 		cmdw2 = (wchar_t *)malloc(len * sizeof(wchar_t));
 		if (!cmdw2) {
 			php_error_docref(NULL, E_WARNING, "Command conversion failed");
 			goto exit_fail;
 		}
-		ret = _snwprintf(cmdw2, len, L"%hs /c %s", COMSPEC_NT, cmdw);
+		ret = _snwprintf(cmdw2, len, L"%hs /s /c \"%s\"", COMSPEC_NT, cmdw);
 
 		if (-1 == ret) {
 			free(cmdw2);

Original file line number	Diff line number	Diff line change
`@@ -478,12 +478,12 @@ TSRM_API FILE popen_ex(const char command, const char type, const char cwd,`
`478`	`478`	`return NULL;`
`479`	`479`	`}`
`480`	`480`
`481`		`- cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /c ")+2);`
	`481`	`+ cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /s /c ")+2);`
`482`	`482`	`if (!cmd) {`
`483`	`483`	`return NULL;`
`484`	`484`	`}`
`485`	`485`
`486`		`- sprintf(cmd, "%s /c \"%s\"", TWG(comspec), command);`
	`486`	`+ sprintf(cmd, "%s /s /c \"%s\"", TWG(comspec), command);`
`487`	`487`	`cmdw = php_win32_cp_any_to_w(cmd);`
`488`	`488`	`if (!cmdw) {`
`489`	`489`	`free(cmd);`