Fix #78569: proc_open() may require extra quoting

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@349245 c90b9560-bf6c-de11-be94-00142212c4b1
2025-03-17 01:18:55 +00:00 · 2020-02-21 08:39:06 +00:00 · 2020-02-21 08:39:06 +00:00 · 58a26b846d
commit 58a26b846d
parent 0a116512ac
1 changed files with 51 additions and 0 deletions
--- a/reference/exec/functions/proc-open.xml
+++ b/reference/exec/functions/proc-open.xml
@ -49,6 +49,20 @@
      <para>
       The command to execute
      </para>
+      <note>
+       <simpara>
+        On <emphasis>Windows</emphasis>, unless <literal>bypass_shell</literal> is set to &true; in
+        <parameter>other_options</parameter>, the <parameter>cmd</parameter> is
+        passed to <command>cmd.exe</command> (actually, <literal>%ComSpec%</literal>)
+        with the <literal>/c</literal> flag as <emphasis>unquoted</emphasis> string
+        (i.e. exactly as has been given to <function>proc_open</function>).
+        This can cause <command>cmd.exe</command> to remove enclosing quotes from
+        <parameter>cmd</parameter> (for details see the <command>cmd.exe</command> documentation),
+        resulting in unexpected, and potentially even dangerous behavior, because
+        <command>cmd.exe</command> error messages may contain (parts of) the passed
+        <parameter>cmd</parameter> (see example below).
+       </simpara>
+      </note>
     </listitem>
    </varlistentry>
    <varlistentry>
@ -250,6 +264,43 @@ command returned 0
   </example>
  </para>

+  <para>
+   <example>
+    <title><function>proc_open</function> quirk on Windows</title>
+    <simpara>
+     While one may expect the following program to search the file
+     <filename>filename.txt</filename> for the text <literal>search</literal> and
+     to print the results, it behaves rather differently.
+    </simpara>
+    <programlisting role="php">
+<![CDATA[
+<?php
+$descriptorspec = [STDIN, STDOUT, STDOUT];
+$cmd = '"findstr" "search" "filename.txt"';
+$proc = proc_open($cmd, $descriptorspec, $pipes);
+proc_close($proc);
+?>
+]]>
+    </programlisting>
+    &example.outputs;
+    <screen>
+<![CDATA[
+'findstr" "search" "filename.txt' is not recognized as an internal or external command,
+operable program or batch file.
+]]>
+    </screen>
+    <simpara>
+     To work around that behavior, it is usually sufficient to enclose the
+     <parameter>cmd</parameter> in additional quotes:
+    </simpara>
+    <programlisting role="php">
+<![CDATA[
+$cmd = '""findstr" "search" "filename.txt""';
+]]>
+    </programlisting>
+   </example>
+  </para>
+
 <!-- ptys are currently disabled
  <para>
   <example>