Contrib.social

Remove use of exec('rm -Rf') as security concern preventing use of open_basedir.

Open on Drupal.org β†’
Created on 23 May 2017, almost 8 years ago
Updated 29 November 2024, 4 months ago

Remove use of exec('rm -Rf') as security concern preventing use of open_basedir.

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component

phpunit

Created by

πŸ‡ΊπŸ‡ΈUnited States webservant316

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 4 months ago β†’
    πŸ‡ΈπŸ‡°Slovakia poker10

    Thanks for working on this. The same code is still in D11 (see here: https://git.drupalcode.org/project/drupal/-/blob/11.x/core/modules/syste...), so according to the backport policy, I am changing the version.

  • Comment 4 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States TolstoyDotCom L.A.

    It'd be a good idea to replace this, but now there's an SSH class that has things like ssh2_exec($this->connection, 'rm -Rf ' . escapeshellarg($directory)). There's no check if $directory is '/', '/bin', 'bin', '/home/*', etc. That code is in the removeDirectoryJailed method so presumably it's only allowed to operate within a specific directory.

    Also, the vendor directory for D11 dev is chock full of calls to exec() and shell_exec(). Symfony even includes an .exe file.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024