warning: shell_exec() has been disabled for security reasons ..

[rhv007]

Hi
While installing the TinMMW Wiki component on Joomla 1.0.14, I got the error outlined in the subject. The full text read:

warning: shell_exec() has been disabled for security reasons in /path/to/components/com_tinmw/config/index.php on line 1721.

The function in which this lin false is as follows:

# @param mixed $versioninfo array of details to use when checking version, use false for no version checking
function locate_executable($loc, $names, $versioninfo = false) {
    if (!is_array($names))
        $names = array($names);

    foreach ($names as $name) {
        $command = "$loc".DIRECTORY_SEPARATOR."$name";
        if (file_exists($command)) {
            if (!$versioninfo)
                return $command;

[B]line 1720  [/B]          $file = str_replace('$1', $command, $versioninfo[0]);
[COLOR=Red][B]line 1721 [/B][/COLOR]        if (strstr(`$file`, $versioninfo[1]) !== false)
[B]line 1722   [/B]            return $command;
        }
    }
    return false;
}

Line 721 has been highlighted to demonstrate the offending bit of code. Any, I commented out lines 721 and 722 and the installation went ahead. However, I am not too certain about its stability as a result.

This type of error is "usually" associated with the PHP safe_mode directive being off. However my PHP version is intermediate and if I recall, safe_mode is supposed to be turned off.

Strangely enough, a few weeks ago, I installed the Mambo_Wiki component which contains a quite similar function and that setup was completed without any problems. Its a much older MediWiki version and I was having some issues so I uninstalled it.

Have some PHP settings been changed lately on the free hosting server here lately?

If anyone has a solution to this problem, I would be quite happy for one.

Cheers.

 

[Corey]

We've always had shell_exec off. As the function name says, it allows people to execute commands via shell which can lead to abuse.

Most scripts that use shell_exec do not require it to function. A common one is to check the server load\time, which isn't necessary.

 

[Bryon]

The reason it worked before is because we had PHP versions disabled at that time. That must have been after we had a lot of those issues with our free hosting servers.

Can you try to determine what is actually within $file? What is it trying to execute?

 

[rhv007]

Hi Thanks for responding. I am not sure exectly what $file is trying to execute. However for those who are interested, here are the comments appearing in the function's header.

#Check for location of an executable
# @param string $loc single location to check
# @param array $names filenames to check for.
# @param mixed $versioninfo array of details to use when checking version, use false for no version checking

Also the following is the bit in the index.php file where the function is called:

$diff3versioninfo = array( '$1 --version 2>&1', 'diff3 (GNU diffutils)' );
foreach ($diff3locations as $loc) {
	$exe = [COLOR="Red"]locate_executable[/COLOR]($loc, $diff3names, $diff3versioninfo);
	if ($exe !== false) {
		$conf->diff3 = $exe;
		break;
	}
}

Incidentally, the line numbers in the original post should have been 1720, 1721 & 1722 (instead of 720, 721 & 722). This has been corrected.

Cheers