[TYPO3-dev] cc_awstats: Substition for escapeshellcmd and passthru needed

[Martin Kutschker]

Christopher schrieb:
> Hi Masi,
> 
> "Martin Kutschker" <masi-no at spam-typo3.org> schrieb im Newsbeitrag 
> news:mailman.1.1216486566.31760.typo3-dev at lists.netfielders.de...
>> Christopher schrieb:
>>> Hi guys,
>>>
>>> I am using cc_awstats and have a problem with it:
>>>
>>> The extension contains the following code:
>>> if (!t3lib_div::GPvar(dbg)) {
>>>     passthru($perl.'
>>> '.$this->MCONF['awstatsFullDir'].$this->MCONF['awstatsScript'].escapeshellcmd
>>> ($parameter), $retval);
>>>    }
>>> (found in typo3conf/ext/cc_awstats/mod1/index.php on line 272)
>>>
>>> On my server passthru and escapeshellcmd are deactivated (which I cannot
>>> change).
>>> How can I change the above lines so that it works anyway?
>> If the admin deactivated these function he probably has deactivated all
>> execution of binaries for PHP.
> 
> No, I can use exec instead of passthru,

Braindead setup!

> but is there a difference so that it 
> won't work correctly afterwards?

Did you care to read the PHP docs? Without looking at cc_awstats I would
say you can replace safely

> I can neither use escapeshellcmd nor escapeshellarg. Leaving this out would 
> be insecure I fear?

No. It's here only used so that you don't have to worry if you need to
worry that one of the generated options triggers some shell features.
AFAIR the compiled shell command is simple and as the passed args are
only domain names or file names you can do without escaping.

If you don't like this you can write your own implementation in PHP.

Masi