Symfony Process Component Argument Escaping Vulnerability on Windows via MSYS2

A vulnerability exists in the Symfony Process component prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, where certain characters, particularly '=', were not properly escaped for Windows environments. This issue arises when PHP is run in an MSYS2-based shell, such as Git Bash, and the Process component is used to execute native Windows programs. The MSYS2 layer can misinterpret unquoted arguments with these characters, leading to corrupted or truncated paths. This flaw is critical when untrusted input can manipulate the arguments, potentially causing unintended file operations, including the deletion of important directories or files.

Impact

Exploitation of this vulnerability can result in severe file system damage, such as the accidental deletion of directories or files, especially if the path includes a '=' character, which triggers the argument corruption.

Reproduction

The vulnerability can be reproduced by using the Symfony Process component to run a command that includes a path with an unescaped '=' character while in a Git Bash environment. This can be done by creating a file with a name that includes '=', and then using the Process component to execute a command that references this file. The MSYS2 layer will misinterpret the '=' in the file path, leading to incorrect command execution.

Remediation

Users can upgrade to Symfony versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, or 8.0.5, where this issue has been fixed. For those using an earlier version, it's recommended to avoid running PHP from MSYS2-based shells on Windows and to refrain from passing paths with '=' or other sensitive characters to the Symfony Process component.