Hi ALL,
For security reasons I disabled the following PHP functions on my production server:
"apache_child_terminate, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, disk_free_space, diskfreespace, dl, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_restore, ini_get_all, inject_code, mysql_pconnect, openlog, passthru, phpinfo, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, show_source, shell_execsymlink, syslog, system, xmlrpc_entity_decode"
Does Moodle use some of these functions to run properly?
All the best,
Ricardo
I don't know, but grep can tell you the answers (or any other text-search tool of your choice).
Tim already told how to find the answer but at least Tex filter (or Algebra filter) is using system() and won't render maths if you disable system() ( if you need tex filter)
Hi Ricardo,
If you copy the list and space separate the functions (instead of comma) then you can run the following in the moodle git repository:
for function in apache_child_terminate apache_get_modules apache_get_version apache_getenv apache_note apache_setenv define_syslog_variables escapeshellarg escapeshellcmd eval exec disk_free_space diskfreespace dl fput ftp_connect ftp_exec ftp_get ftp_login ftp_nb_fput ftp_put ftp_raw ftp_rawlist highlight_file ini_alter ini_restore ini_get_all inject_code mysql_pconnect openlog passthru phpinfo php_uname phpAds_remoteInfo phpAds_XmlRpc phpAds_xmlrpcDecode phpAds_xmlrpcEncode popen posix_getpwuid posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid posix_setuid posix_uname proc_close proc_get_status proc_nice proc_open proc_terminate show_source shell_execsymlink syslog system xmlrpc_entity_decode; do echo "Checking for use of $function:"; git grep "$function()"; done
Which will list any line in Moodle which uses one of these functions - note, you may get some false positives depending on the patterns you're grepping, but some of these will definately be in use - for example, eval, posix_setsid, and exec for starters.
Hope that this helps,
Andrew
If you copy the list and space separate the functions (instead of comma) then you can run the following in the moodle git repository:
for function in apache_child_terminate apache_get_modules apache_get_version apache_getenv apache_note apache_setenv define_syslog_variables escapeshellarg escapeshellcmd eval exec disk_free_space diskfreespace dl fput ftp_connect ftp_exec ftp_get ftp_login ftp_nb_fput ftp_put ftp_raw ftp_rawlist highlight_file ini_alter ini_restore ini_get_all inject_code mysql_pconnect openlog passthru phpinfo php_uname phpAds_remoteInfo phpAds_XmlRpc phpAds_xmlrpcDecode phpAds_xmlrpcEncode popen posix_getpwuid posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid posix_setuid posix_uname proc_close proc_get_status proc_nice proc_open proc_terminate show_source shell_execsymlink syslog system xmlrpc_entity_decode; do echo "Checking for use of $function:"; git grep "$function()"; done
Which will list any line in Moodle which uses one of these functions - note, you may get some false positives depending on the patterns you're grepping, but some of these will definately be in use - for example, eval, posix_setsid, and exec for starters.
Hope that this helps,
Andrew
Ricardo,
there is obviously one mistake in your list: shell_execsymlink
Shouldn't it be shell_exec, symlink ?
Tex filter is using also shell_exec() ...
Thanks for all the replies!!!