New strange error - "escapeshellcmd() has been disabled for security reasons"

3 posts by 3 authors in: Forums > CMS Builder
Last Post: May 25, 2021   (RSS)

By mark99 - May 20, 2021

I believe escapeshellcmd() has some inherent problems that make it worth disabling for best security. The workaround is usually to adopt SMTP for email instead of the PHP method, although CMSB should really ensure their 3rd Party stuff is up-to-date (they're using the massively out of date SwiftMailer v5, but the latest release is on the 6.2 branch). I'm not sure how to update this ourselves.

Hopefully somebody will reply to say how this can be addressed as we really shouldn't be having such out of date libraries in the system.

By Dave - May 25, 2021

Hi guys, 

Web hosts can arbitrarily disable any PHP functions they want with the PHP disable_functions directive in a system php.ini file:

This is often an issue with low-cost hosts.  Check the price of the hosting package and see if they have alternatives that aren't limited.  It can also be an issue on cloud hosting.  We try to "work-around" a lot of these issues, but if your host disables too much of PHP's functionality it's just not possible to do certain things.

There are often many instances where being able to call linux commands or binaries is very useful to extend the functionality of the web software in ways that you can't with pure PHP.    SMTP for example is more secure in the sense that you can connect with pure PHP, but be able to securely send mail through the servers built-in mail server by calling the sendmail binary or equivalent is magnitudes faster which can be important if you've got a lot of mail to send.  And, in fact, this is exactly what the default PHP mail() function does.   

And regarding versions, SwiftMailer is due for an upgrade, but there was a compatibility issue last time we checked.  We tend to favour security fixes, stability of the release, and new functionality (in that order).  

Hope that helps, let me know any questions or anything else we can do to assist.

Dave Edis - Senior Developer