Description

spark serve concatenated the user-supplied --host option directly into the shell command passed to passthru(), while sibling arguments (--php, document root, rewrite script) were already wrapped with escapeshellarg(). A locally-crafted host such as $(id) would be expanded by /bin/sh -c before reaching php -S. Threat model is limited (local CLI argv control); this is hardening on par with the surrounding code.

Replaces and closes #10156.

Changes:

• Extracts command construction into a new Serve::buildServeCommand() that wraps every interpolated argument with escapeshellarg(), then sprintf's them into the php -S host:port -t docroot rewrite template.
• Adds ServeTest covering the builder with literal expected strings: a happy path plus eight injection vectors (command substitution, shell separators, redirection, embedded quote, newline). Gated to POSIX shells via #[RequiresOperatingSystem('^(?!WIN)')] because escapeshellarg() output differs on Windows.
• Adds a Bugs Fixed entry under Commands in the v4.7.3 changelog.

Note on 4.8 forward-merge

This bug only exists on develop. The 4.8 branch rewrites Serve to extend AbstractCommand and already escapes the host inside its execute() method, so the vulnerability is not present there. When develop is forward-merged into 4.8:

• system/Commands/Server/Serve.php: keep 4.8's version; the rewrite supersedes this fix.
• tests/system/Commands/Server/ServeTest.php: should be deleted during conflict resolution. The test reflects on the BaseCommand-based buildServeCommand() method, which does not exist on 4.8.
• Changelog entry is historical and merges cleanly.

Checklist:

• Securely signed commits
• Component(s) with PHPDoc blocks, only if necessary or adds value (without duplication)
• Unit testing, with >80% coverage
• User guide updated
• Conforms to style guide