shell_exec() is deactivated because of security reasons

694 views
Skip to first unread message

Andy

unread,
Jul 30, 2010, 5:29:10 AM7/30/10
to ResourceSpace
Dear RS friends!

I've installed the RS software on my hoster - acutally it works with a
few problems.. My hoster supports imagemagick but don't allow the
command shell_exec()...

as I now know, the convert command for imagemagick uses shell_exec()..

My host wrote me that the convert can be used with system or exec....

Is it possible to rewrite it? I can do it, I just have to know, where
to commands are ;-)
Thank you very much!
Cheerio
Andy

Jeff Harmon

unread,
Jul 30, 2010, 6:21:33 PM7/30/10
to ResourceSpace
I believe the code is fairly riddled with PHP passing a shell command
like this, and removing them is probably unlikely - you're the first
person to mention this restriction in more than a year, so the
substantial effort it might take seems unwarranted. Someone else
might know more about the possibilities though!

- Jeff Harmon
Colorhythm LLC

Andy

unread,
Jul 30, 2010, 7:07:07 PM7/30/10
to ResourceSpace
I totally agree with you.. I was just wondered that my hoster answer
the question with "you shouldn't use shell_exec"...

and actually... he knew that I'm talking about Resourcespace..

Tom Gleason

unread,
Jul 30, 2010, 7:12:38 PM7/30/10
to resour...@googlegroups.com
All the shell_exec commands are escaped and should be safe in the context that they are being used.

php's safe_mode doesn't allow the use of shell_exec, but using safe_mode is not the right way to handle security, and has been deprecated in php 5.3

http://php.net/manual/en/features.safe-mode.php



--
You received this message because you are subscribed to the Google Groups "ResourceSpace" group.
To post to this group, send email to resour...@googlegroups.com.
To unsubscribe from this group, send email to resourcespac...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/resourcespace?hl=en.




--
Tom Gleason, PHP Developer
DBA Impressive Design

Exploring ResourceSpace at:
http://resourcespace.blogspot.com

Andy

unread,
Jul 30, 2010, 7:42:41 PM7/30/10
to ResourceSpace
actually it's not disabled in the server php.ini file... so turn of
the php_safe mode won't help...
> > resourcespac...@googlegroups.com<resourcespace%2Bunsubscribe@goog legroups.com>
> > .

Dan Huby

unread,
Jul 31, 2010, 4:38:03 AM7/31/10
to ResourceSpace

> as I now know, the convert command for imagemagick uses shell_exec()..
>
> My host wrote me that the convert can be used with system or exec....

They've disabled shell_exec() but not system() or exec()?

That doesn't make sense... they do almost the same thing? Maybe
there's some technical/security reason for limiting access to the
shell, but I haven't come across this before.

You could try search/replacing "shell_exec" with "exec" across the
whole system. Would be good if you could follow up and let me know if
that works.

Dan

Andy

unread,
Aug 2, 2010, 3:01:04 AM8/2/10
to ResourceSpace
Hi Dan!

I agree with you - but that's what my hoster did :-)

but actually the replacement of shell_exec with exec worked for the
first trial..
I just replaced all of this commands in the files
preview_preprocessing.php and image_processing.php

so it works fine for PDF files (which uses ghostscript and
ImageMagick) as well as for jpgs, pngs and gifs.. (which uses
Imagemagick as well)

I'll try further formats but I think this could be the solution...
Maybe the unzip command won't work... I uploaded a zip archive and it
have been added as a zip file without unzipping the data...

I'll do further tests... and keep you up to date!
Thank you & if you have any other suggestions or ideas to test it..
let me know!
Andy

Andy

unread,
Aug 2, 2010, 3:46:01 AM8/2/10
to ResourceSpace
So - as I already mentioned upload is working.. but if you edit the
resource and want to make a "new preview" with the function "Retry
preview creation" it works for jpgs but not for PDFs.. there is just
an "internal server error" popping up..

Andy

unread,
Aug 2, 2010, 7:07:24 PM8/2/10
to ResourceSpace
Hi Dan,

so I changed all the shell_exec to shell.. in all these files:

test/_shell_changes/check.php
test/_shell_changes/contactsheet.php
test/_shell_changes/crop.php
test/_shell_changes/ffmpeg_processing.php
test/_shell_changes/general.default.php
test/_shell_changes/general.php
test/_shell_changes/image_processing.php
test/_shell_changes/info.txt
test/_shell_changes/metadata_report.php
test/_shell_changes/mysql_timeout.php
test/_shell_changes/preview_preprocessing.php
test/_shell_changes/resource_functions.php
test/_shell_changes/shell.php
test/_shell_changes/team_home.php
test/_shell_changes/transform_functions.php
test/_shell_changes/update_exiftool_field.php
test/_shell_changes/update_sizes.php


It works quite good and is maybe an alternative for the next update of
RS.. (?)
I'm happy now :-)
Thank you!

Jeff Harmon

unread,
Aug 3, 2010, 6:15:58 AM8/3/10
to ResourceSpace
"Maybe the unzip command won't work... I uploaded a zip archive and it
have been added as a zip file without unzipping the data... "

This is actually the expected behavior, by design. RS doesn't unzip
any archived file that's uploaded; it treats it as its own resource.
Reply all
Reply to author
Forward
0 new messages