Deployer v8 replaces PHP's escapeshellarg() function with a new quote() function due to critical security and functionality issues. The main problem is that escapeshellarg() silently strips non-printable characters in non-UTF-8 locales, potentially altering user input without warning. This has been a known issue for over a decade and affects deployments across multiple servers with varying locale configurations.
Background
PHP's escapeshellarg() function is commonly used to safely pass user input to shell commands by escaping special characters. However, it has long-standing issues with character encoding handling in different locale environments.
- Source
- Lobsters
- Published
- May 2, 2026 at 03:07 AM
- Score
- 7.0 / 10