Console\Input\StringInput doesn't handle escaped single quotes correctly

[bohwaz]

Symfony version(s) affected: 2.8-4.3

Description

Symfony\Component\Console\Input\StringInput doesn't work with arguments escaped by escapeshellarg.

escapeshellarg on a string with single quotes will produce a closing single quote, an escaped single quote and an opening single quote:

$arg = 'Jenny\'s';
print($arg . PHP_EOL);
// Jenny's
print(escapeshellarg($arg) . PHP_EOL);
// Jenny'\''s

This is correct as per bash documentation: https://www.gnu.org/savannah-checkouts/gnu/bash/manual/bash.html#Single-Quotes

A single quote may not occur between single quotes, even when preceded by a backslash.

But this breaks StringInput as it breaks up the string in multiple tokens.

How to reproduce

$arg = escapeshellarg('Jenny\'s');
$cmd = 'command --arg=' . $arg;

var_dump($cmd);
var_dump(StringInput::tokenize($cmd));

Output:

string(26) "command --arg='Jenny'\''s'"
string(26) "command --arg='Jenny'\''s'"
array(4) {
  [0]=>
  string(7) "command"
  [1]=>
  string(11) "--arg=Jenny"
  [2]=>
  string(1) "\"
  [3]=>
  string(1) "s"
}

Possible Solution

StringInput should handle escaped characters outside of single quotes part of the string.

[nicolas-grekas]

That's not StringInput's job: the shell should have already parsed the string so that PHP/StringInput should be given the already resolved string. What you describe is not what StringInput::tokenize() is for.

[bohwaz]

That's not what StringInputTest suggests?

    public function testToString()
    {
        $input = new StringInput('-f foo');
        $this->assertEquals('-f foo', (string) $input);

        $input = new StringInput('-f --bar=foo "a b c d"');
        $this->assertEquals('-f --bar=foo '.escapeshellarg('a b c d'), (string) $input);

        $input = new StringInput('-f --bar=foo \'a b c d\' '."'A\nB\\'C'");
        $this->assertEquals('-f --bar=foo '.escapeshellarg('a b c d').' '.escapeshellarg("A\nB'C"), (string) $input);
    }

[Chi-teck]

I've got a similar issue without using escapeshellarg.
echo new StringInput('--foo="bar"'); prints --for=bar instead of --foo="bar".
That causes a problem when you pass encoded JSON string as command line argument.

[carsonbot]

Hey, thanks for your report!
There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

[bohwaz]

Hey, thanks for your report!
There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

Yes, still relevant.

[carsonbot]

Hey, thanks for your report!
There has not been a lot of activity here for a while. Is this bug still relevant? Have you managed to find a workaround?

[bohwaz]

Yes, still relevant, stop trying to avoid issues.

[wouterj]

@bohwaz are you up to fixing the issue?

[nicolas-grekas]

@Chi-teck the issue is on your side: you need to escape the json content. Eg echo new StringInput('--foo=\'"bar"\'');

@bohwaz see #45088