[contribteam] [Bug 12187] shell_exec() is blocked from use, but looks to be used in NextCloud.

Mon, 19 Sep 2022 21:07:53 -0700 

https://bugs.koozali.org/show_bug.cgi?id=12187

            Bug ID: 12187
           Summary: shell_exec() is blocked from use, but looks to be used
                    in NextCloud.
    Classification: Contribs
           Product: SME Contribs
           Version: 10.0
          Hardware: ---
                OS: ---
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: smeserver-nextcloud
          Assignee: [email protected]
          Reporter: [email protected]
        QA Contact: [email protected]
  Target Milestone: ---

The command shell_exec() is a blocked function. Here is a NextCloud log item
showing that the function is used:

[PHP] Error: Error: shell_exec() has been disabled for security reasons at
/usr/share/nextcloud/apps/serverinfo/lib/OperatingSystems/DefaultOs.php#116 at
<<closure>>

0. <<closure>>
   OC\Log\ErrorHandler::onError()
1. /usr/share/nextcloud/apps/serverinfo/lib/OperatingSystems/DefaultOs.php line
116
   shell_exec()
2. /usr/share/nextcloud/apps/serverinfo/lib/Os.php line 70
   OCA\ServerInfo\OperatingSystems\DefaultOs->getTime()
3. /usr/share/nextcloud/apps/serverinfo/lib/Controller/ApiController.php line
139
   OCA\ServerInfo\Os->getTime()
4. /usr/share/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 225
   OCA\ServerInfo\Controller\ApiController->BasicData()
5. /usr/share/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 133
   OC\AppFramework\Http\Dispatcher->executeController()
6. /usr/share/nextcloud/lib/private/AppFramework/App.php line 172
   OC\AppFramework\Http\Dispatcher->dispatch()
7. /usr/share/nextcloud/lib/private/Route/Router.php line 298
   OC\AppFramework\App::main()
8. /usr/share/nextcloud/ocs/v1.php line 62
   OC\Route\Router->match()
9. /usr/share/nextcloud/ocs/v2.php line 23
   require_once("/usr/share/nextcloud/ocs/v1.php")

GET /nextcloud/ocs/v2.php/apps/serverinfo/api/v1//basicdata?format=json
from 66.214.203.58 by [email protected] at 2022-09-19T07:14:19+00:00

This is used in NextCloud in the following code snippet at
/usr/share/nextcloud/apps/serverinfo/lib/OperatingSystems/DefaultOs.php :
 public function getTime(): string {
   return (string)shell_exec('date');

There are Many places that shell_exec is used in this PHP file.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
_______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/

Reply via email to