Reject null bytes in quote arguments

Author: antonmedv

src/functions.php

@@ -998,6 +998,9 @@ function quote(string|int $arg): string
     if ($arg === '') {
         return "\$''";
     }
+    if (str_contains($arg, "\0")) {
+        throw new \InvalidArgumentException('quote(): null byte is not allowed in shell arguments');
+    }
     if (preg_match('/^[\w\/.\-+@:=,%]+$/', $arg)) {
         return $arg;
     }
@@ -1009,7 +1012,6 @@ function quote(string|int $arg): string
         "\r" => '\\r',
         "\t" => '\\t',
         "\v" => '\\v',
-        "\0" => '\\0',
     ]) . "'";
 }
 

tests/src/QuoteTest.php

@@ -60,7 +60,6 @@ public static function unsafeStringsProvider(): array
             'carriage return' => ["line1\rline2", "\$'line1\\rline2'"],
             'form feed' => ["page\fbreak", "\$'page\\fbreak'"],
             'vertical tab' => ["vert\vtab", "\$'vert\\vtab'"],
-            'null byte' => ["null\0byte", "\$'null\\0byte'"],
             'semicolon' => ['cmd; rm -rf /', "\$'cmd; rm -rf /'"],
             'pipe' => ['a | b', "\$'a | b'"],
             'ampersand' => ['a & b', "\$'a & b'"],
@@ -85,11 +84,17 @@ public function testMultipleEscapes()
 
     public function testAllSpecialCharsAtOnce()
     {
-        $input = "'\\\f\n\r\t\v\0";
-        $expected = "\$'\\'\\\\\\f\\n\\r\\t\\v\\0'";
+        $input = "'\\\f\n\r\t\v";
+        $expected = "\$'\\'\\\\\\f\\n\\r\\t\\v'";
         self::assertEquals($expected, quote($input));
     }
 
+    public function testNullByteRejected()
+    {
+        $this->expectException(\InvalidArgumentException::class);
+        quote("null\0byte");
+    }
+
     public function testUnicodeContent()
     {
         self::assertEquals("\$'héllo wörld'", quote('héllo wörld'));