New strange error - "escapeshellcmd() has been disabled for security reasons"
3 posts by 3 authors in: Forums > CMS Builder
Last Post: May 25, 2021 (RSS)
By Codee - May 15, 2021
Just received CMSB notification with this error:
"E_WARNING: escapeshellcmd() has been disabled for security reasons
/home/xxxxxxxxxxx/public_html/cmsbadmin/3rdParty/SwiftMailer5/classes/Swift/Transport/MailTransport.php (line 260)
https://xxxxxxxx.com/ordering.php"
This came in at the same time a legitimate order processed on the website. Interactive Tools: can you coach me to understanding on this one?
Thank you in advance.
By mark99 - May 20, 2021
I believe escapeshellcmd() has some inherent problems that make it worth disabling for best security. The workaround is usually to adopt SMTP for email instead of the PHP method, although CMSB should really ensure their 3rd Party stuff is up-to-date (they're using the massively out of date SwiftMailer v5, but the latest release is on the 6.2 branch). I'm not sure how to update this ourselves.
Hopefully somebody will reply to say how this can be addressed as we really shouldn't be having such out of date libraries in the system.
By Dave - May 25, 2021
Hi guys,
Web hosts can arbitrarily disable any PHP functions they want with the PHP disable_functions directive in a system php.ini file:
https://www.php.net/manual/en/ini.core.php#ini.disable-functions
This is often an issue with low-cost hosts. Check the price of the hosting package and see if they have alternatives that aren't limited. It can also be an issue on cloud hosting. We try to "work-around" a lot of these issues, but if your host disables too much of PHP's functionality it's just not possible to do certain things.
There are often many instances where being able to call linux commands or binaries is very useful to extend the functionality of the web software in ways that you can't with pure PHP. SMTP for example is more secure in the sense that you can connect with pure PHP, but be able to securely send mail through the servers built-in mail server by calling the sendmail binary or equivalent is magnitudes faster which can be important if you've got a lot of mail to send. And, in fact, this is exactly what the default PHP mail() function does.
And regarding versions, SwiftMailer is due for an upgrade, but there was a compatibility issue last time we checked. We tend to favour security fixes, stability of the release, and new functionality (in that order).
Hope that helps, let me know any questions or anything else we can do to assist.
interactivetools.com