|shell_exec() is deactivated because of security reasons||Andy||7/30/10 2:29 AM|
Dear RS friends!
I've installed the RS software on my hoster - acutally it works with a
few problems.. My hoster supports imagemagick but don't allow the
as I now know, the convert command for imagemagick uses shell_exec()..
My host wrote me that the convert can be used with system or exec....
Is it possible to rewrite it? I can do it, I just have to know, where
to commands are ;-)
Thank you very much!
|Re: shell_exec() is deactivated because of security reasons||Jeff Nova||7/30/10 3:21 PM|
I believe the code is fairly riddled with PHP passing a shell command
like this, and removing them is probably unlikely - you're the first
person to mention this restriction in more than a year, so the
substantial effort it might take seems unwarranted. Someone else
might know more about the possibilities though!
- Jeff Harmon
|Re: shell_exec() is deactivated because of security reasons||Andy||7/30/10 4:07 PM|
I totally agree with you.. I was just wondered that my hoster answer
the question with "you shouldn't use shell_exec"...
and actually... he knew that I'm talking about Resourcespace..
|Re: shell_exec() is deactivated because of security reasons||tom||7/30/10 4:12 PM|
All the shell_exec commands are escaped and should be safe in the context that they are being used.
php's safe_mode doesn't allow the use of shell_exec, but using safe_mode is not the right way to handle security, and has been deprecated in php 5.3
Tom Gleason, PHP Developer
DBA Impressive Design
Exploring ResourceSpace at:
|Re: shell_exec() is deactivated because of security reasons||Andy||7/30/10 4:42 PM|
|Re: shell_exec() is deactivated because of security reasons||Dan Huby||7/31/10 1:38 AM|
They've disabled shell_exec() but not system() or exec()?
That doesn't make sense... they do almost the same thing? Maybe
there's some technical/security reason for limiting access to the
shell, but I haven't come across this before.
You could try search/replacing "shell_exec" with "exec" across the
whole system. Would be good if you could follow up and let me know if
|Re: shell_exec() is deactivated because of security reasons||Andy||8/2/10 12:01 AM|
I agree with you - but that's what my hoster did :-)
but actually the replacement of shell_exec with exec worked for the
I just replaced all of this commands in the files
preview_preprocessing.php and image_processing.php
so it works fine for PDF files (which uses ghostscript and
ImageMagick) as well as for jpgs, pngs and gifs.. (which uses
Imagemagick as well)
I'll try further formats but I think this could be the solution...
Maybe the unzip command won't work... I uploaded a zip archive and it
have been added as a zip file without unzipping the data...
I'll do further tests... and keep you up to date!
Thank you & if you have any other suggestions or ideas to test it..
let me know!
|Re: shell_exec() is deactivated because of security reasons||Andy||8/2/10 12:46 AM|
So - as I already mentioned upload is working.. but if you edit the
resource and want to make a "new preview" with the function "Retry
preview creation" it works for jpgs but not for PDFs.. there is just
an "internal server error" popping up..
|Re: shell_exec() is deactivated because of security reasons||Andy||8/2/10 4:07 PM|
so I changed all the shell_exec to shell.. in all these files:
It works quite good and is maybe an alternative for the next update of
I'm happy now :-)
|Re: shell_exec() is deactivated because of security reasons||Jeff Nova||8/3/10 3:15 AM|
"Maybe the unzip command won't work... I uploaded a zip archive and itThis is actually the expected behavior, by design. RS doesn't unzip
any archived file that's uploaded; it treats it as its own resource.