While researching a crash-bug in mail(), I found these two goldies.

Replace php_escape_shell_(arg|cmd) with straight-forward implementations.

diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index 5dd828de2646b4715c48643f4f9e308190a0e320..3dd541d2129286186166e498e0721e7984099b7d 100644 (file)
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -327,20 +327,6 @@ PHP_FUNCTION(passthru)
 }
 /* }}} */
 
-/* {{{ php_get_index
- */
-static int php_get_index(char *s, char c)
-{
-       register int x;
-
-       for (x = 0; s[x]; x++)
-               if (s[x] == c)
-                       return x;
-
-       return -1;
-}
-/* }}} */
-
 /* {{{ php_escape_shell_cmd
    Escape all chars that could possibly be used to
    break out of a shell command
@@ -350,51 +336,76 @@ static int php_get_index(char *s, char c)
 
    *NOT* safe for binary strings
 */
-char * php_escape_shell_cmd(char *str) {
+char *php_escape_shell_cmd(char *str) {
        register int x, y, l;
        char *cmd;
 
        l = strlen(str);
        cmd = emalloc(2 * l + 1);
-       strcpy(cmd, str);
-       for (x = 0; cmd[x]; x++) {
-               if (php_get_index("#&;`'\"|*?~<>^()[]{}$\\\x0A\xFF", cmd[x]) != -1) {
-                       for (y = l + 1; y > x; y--)
-                               cmd[y] = cmd[y - 1];
-                       l++;                            /* length has been increased */
-                       cmd[x] = '\\';
-                       x++;                            /* skip the character */
+       
+       for (x = 0, y = 0; x < l; x++) {
+               switch (str[x]) {
+                       case '#': /* This is character-set independent */
+                       case '&':
+                       case ';':
+                       case '`':
+                       case '\'':
+                       case '"':
+                       case '|':
+                       case '*':
+                       case '?':
+                       case '~':
+                       case '<':
+                       case '>':
+                       case '^':
+                       case '(':
+                       case ')':
+                       case '[':
+                       case ']':
+                       case '{':
+                       case '}':
+                       case '$':
+                       case '\\':
+                       case '\x0A': /* excluding these two */
+                       case '\xFF':
+                               cmd[y++] = '\\';
+                               /* fall-through */
+                       default:
+                               cmd[y++] = str[x];
+
                }
        }
+       cmd[y] = '\0';
        return cmd;
 }
 /* }}} */
 
 /* {{{ php_escape_shell_arg
  */
-char * php_escape_shell_arg(char *str) {
-       register int x, y, l;
+char *php_escape_shell_arg(char *str) {
+       int x, y, l;
        char *cmd;
 
+       y = 0;
        l = strlen(str);
-       cmd = emalloc(4 * l + 3);
-       cmd[0] = '\'';
-       strcpy(cmd+1, str);
-       l++;
-
-       for (x = 1; cmd[x]; x++) {
-               if (cmd[x] == '\'') {
-                       for (y = l + 3; y > x+1; y--) {
-                               cmd[y] = cmd[y - 3];
-                       }
-                       cmd[++x] = '\\';
-                       cmd[++x] = '\'';
-                       cmd[++x] = '\'';
-                       l+=3;                           /* length was increased by 3 */
+       
+       cmd = emalloc(4 * l + 3); /* worst case */
+       
+       cmd[y++] = '\'';
+       
+       for (x = 0; x < l; x++) {
+               switch (str[x]) {
+               case '\'':
+                       cmd[y++] = '\'';
+                       cmd[y++] = '\\';
+                       cmd[y++] = '\'';
+                       /* fall-through */
+               default:
+                       cmd[y++] = str[x];
                }
        }
-       cmd[l++] = '\'';
-       cmd[l] = '\0';
+       cmd[y++] = '\'';
+       cmd[y] = '\0';
        return cmd;
 }
 /* }}} */