Please remove shell_exec, getmyuid from your plugin

  • Resolved markisu72

    (@markisu72)


    9 months, 3 weeks ago

    Hi,

    can you kindly work around using shell_exec and getmyuid in your plugin?
    Some providers (especially those, who take security seriously) have deactivated those functions (which I completely support) and actually no other professional plugin in the world relies on these functions, due to security reasons.

    E.g. also some providers being owned by the mother company of your own recommended provider (nominalia) have disabled those two functions.

    Frankly, a plugin related to drop-shipping should not rely on the shop owners to take care of system security themselves, even though the physical hardware requirements are met.

    Please, get rid of these security issues.
    This is hampering system security in general, if you require them to be active – your plugin is not alone there ??

    Thanks
    Markus

    • This topic was modified 9 months, 3 weeks ago by markisu72.
    • This topic was modified 9 months, 3 weeks ago by markisu72.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter markisu72

    (@markisu72)

    Hi guys,

    I checked your code and there are basically only two places, where they are being used.

    Firstly, for checking whether a directory has the same user as the plugin user. This is not needed – if there is an issue with accessing the directory, you can just _test_ it and post the same message.
    Anyway, this is an absolute corner case and in order to just write a more sophisticated error message, does not rectify using getmyuid.

    Secondly, you use shell_exec to execute a shell-find-command in order to find files. This easily can be done (and every other plugin does that) *without* shell_exec and without running shell commands.

    I thought, it might be more tricky, but it is not – you can easily get rid of these functions and thus become compatible with all hosters – especially with very security-focusing B2B hosters.

    Kindly update your plugin, so that these functions are no longer needed and we can use dedicated machines, which have been properly hardened for security.

    Thx
    Markus

    Thread Starter markisu72

    (@markisu72)

    Hi @devsmip,
    any feedback on this?
    In general, the plugin seems to work ok, but these restrictions bind me to a provider, I don’t want be bound to (like many others).

    I’d be glad to support you on getting more positive feedback.
    Thx
    Markus

    Plugin Author BigBuy

    (@devsmip)

    Dear @markisu72

    Thank you for your post and your patience.

    We are working on removing the shell_exec if possible and we are also studying the rest of this feedback.

    We will inform you as soon as possible.

    Thanks again for all your feedback!
    Best regards,

    BigBuy Team

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Please remove shell_exec, getmyuid from your plugin’ is closed to new replies.