From: Tim Starling <tstarling@users.mediawiki.org>
Date: Mon, 6 Feb 2006 23:50:45 +0000 (+0000)
Subject: Proper windows escaping in wfEscapeShellArg()
X-Git-Tag: 1.6.0~364
X-Git-Url: http://git.cyclocoop.org/%22.htmlspecialchars%28%24url_syndic%29.%22?a=commitdiff_plain;h=2fc449004986ad078c7aabd3e42ee0063f46c470;p=lhc%2Fweb%2Fwiklou.git

Proper windows escaping in wfEscapeShellArg()
---

diff --git a/includes/GlobalFunctions.php b/includes/GlobalFunctions.php
index 7a46e5a301..f5e6486ac2 100644
--- a/includes/GlobalFunctions.php
+++ b/includes/GlobalFunctions.php
@@ -956,7 +956,28 @@ function wfEscapeShellArg( ) {
 		}
 
 		if ( wfIsWindows() ) {
-			$retVal .= '"' . str_replace( '"','\"', $arg ) . '"';
+			// Escaping for an MSVC-style command line parser
+			// Ref: http://mailman.lyra.org/pipermail/scite-interest/2002-March/000436.html
+			// Double the backslashes before any double quotes. Escape the double quotes.
+			$tokens = preg_split( '/(\\\\*")/', $arg, -1, PREG_SPLIT_DELIM_CAPTURE );
+			$arg = '';
+			$delim = false;
+			foreach ( $tokens as $token ) {
+				if ( $delim ) {
+					$arg .= str_replace( '\\', '\\\\', substr( $token, 0, -1 ) ) . '\\"';
+				} else {
+					$arg .= $token;
+				}
+				$delim = !$delim;
+			}
+			// Double the backslashes before the end of the string, because 
+			// we will soon add a quote
+			if ( preg_match( '/^(.*?)(\\\\+)$/', $arg, $m ) ) {
+				$arg = $m[1] . str_replace( '\\', '\\\\', $m[2] );
+			}
+
+			// Add surrounding quotes
+			$retVal .= '"' . $arg . '"';
 		} else {
 			$retVal .= escapeshellarg( $arg );
 		}