Quote PHP -d INI values so regex characters like " and ; survive

kayw-geek · sebastianbergmann · commit 1afa115de16d · 2026-04-17T13:55:26.000+02:00
diff --git a/src/Util/PHP/JobRunner.php b/src/Util/PHP/JobRunner.php
@@ -26,8 +26,11 @@
 use function is_resource;
 use function proc_close;
 use function proc_open;
+use function str_replace;
 use function str_starts_with;
 use function stream_get_contents;
+use function strpos;
+use function substr;
 use function sys_get_temp_dir;
 use function tempnam;
 use function trim;
@@ -325,9 +328,28 @@ private function settingsToParameters(array $settings): array
 
         foreach ($settings as $setting) {
             $buffer[] = '-d';
-            $buffer[] = $setting;
+            $buffer[] = $this->quoteSettingValue($setting);
         }
 
         return $buffer;
     }
+
+    /**
+     * Wraps the value portion of a "name=value" INI setting in double quotes
+     * so PHP's INI parser treats characters such as `;` (comment) and `"`
+     * (string delimiter) as literal data instead of metacharacters.
+     */
+    private function quoteSettingValue(string $setting): string
+    {
+        $position = strpos($setting, '=');
+
+        if ($position === false) {
+            return $setting;
+        }
+
+        $name  = substr($setting, 0, $position);
+        $value = substr($setting, $position + 1);
+
+        return $name . '="' . str_replace('"', '\\"', $value) . '"';
+    }
 }
diff --git a/tests/unit/Util/PHP/JobRunnerTest.php b/tests/unit/Util/PHP/JobRunnerTest.php
@@ -110,6 +110,20 @@ public static function provider(): Generator
                 input: 'test',
             ),
         ];
+
+        $obfuscationRegex = '(?i)(?:(?:"|%22)?)(?:(?:old[-_]?|new[-_]?)?p(?:ass)?w(?:or)?d(?:1|2)?|pass(?:[-_]?phrase)?|secret|(?:api_?|private_?|public_?|access_?|secret_?)key(?:_?id)?|token|consumer_?(?:id|key|secret)|sign(?:ed|ature)?|auth(?:entication|orization)?)(?:(?:\s|%20)*(?:=|%3D)[^&]+|(?:"|%22)(?:\s|%20)*(?::|%3A)(?:\s|%20)*(?:"|%22)(?:%2[^2]|%[^2]|[^"%])+(?:"|%22))|bearer(?:\s|%20)+[a-z0-9\._\-]+|token(?::|%3A)[a-z0-9]{13}|gh[opsu]_[0-9a-zA-Z]{36}|ey[I-L](?:[\w=-]|%3D)+\.ey[I-L](?:[\w=-]|%3D)+(?:\.(?:[\w.+\/=-]|%3D|%2F|%2B)+)?|-{5}BEGIN(?:[a-z\s]|%20)+PRIVATE(?:\s|%20)KEY-{5}[^\-]+-{5}END(?:[a-z\s]|%20)+PRIVATE(?:\s|%20)KEY(?:-{5})?(?:\n|%0A)?';
+
+        yield 'php setting value containing INI metacharacters' => [
+            new Result($obfuscationRegex, ''),
+            new Job(
+                <<<'EOT'
+<?php declare(strict_types=1);
+print ini_get('highlight.string');
+
+EOT,
+                phpSettings: ['highlight.string=' . $obfuscationRegex],
+            ),
+        ];
     }
 
     #[DataProvider('provider')]
