Cannot execute using backquotes in Safe Mode

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
asgerhallas
Forum Commoner
Posts: 80
Joined: Tue Mar 14, 2006 11:11 am
Location: Århus, Denmark

Cannot execute using backquotes in Safe Mode

Post by asgerhallas »

Hey,

I try to execute the imagemagick convert function in my script like this:

Code: Select all

shell_exec("/usr/local/bin/safe/convert test.jpg test.png");
But I get the Warning:

shell_exec(): Cannot execute using backquotes in Safe Mode in...

Safe Mode's on, but my directive safe_mode_exec_dir is set to /usr/local/bin/safe and symlink to convert is placed there.

Shouldn't I be able to execute that command? Can anybody tell me what I do wrong?

/Asger
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

AFAIK you can't use Imagemagick in Safe Mode however GD should work.

EDIT: Ask your host about adding ImageMagick to safe_mode_exec_dir.
asgerhallas
Forum Commoner
Posts: 80
Joined: Tue Mar 14, 2006 11:11 am
Location: Århus, Denmark

Post by asgerhallas »

Ok, but I get the same warning no matter what program I try to run from that directory... If I can't run any programs, what's the safe_mode_exec_dir directive for then?

EDIT: My host has already placed a symlink to ImageMagicks convert in the safe_mode_exec_dir!
Last edited by asgerhallas on Thu Mar 16, 2006 11:09 am, edited 1 time in total.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

From: http://us3.php.net/manual/en/features.safe-mode.php

safe_mode_exec_dir string

If PHP is used in safe mode, system() and the other functions executing system programs refuse to start programs that are not in this directory. You have to use / as directory separator on all
It should allow you to execute the ImageMagick programs. safe_mode_exec_dir is PHP_INI_SYSTEM can only be set php.ini or httpd.conf.

EDIT:
My host has already placed a symlink to the program in the safe_mode_exec_dir!
Whoops missed that.
asgerhallas
Forum Commoner
Posts: 80
Joined: Tue Mar 14, 2006 11:11 am
Location: Århus, Denmark

Post by asgerhallas »

Here's my phpinfo...

http://www.asgerhallas.dk/imageclass/info.php

If that helps...
asgerhallas
Forum Commoner
Posts: 80
Joined: Tue Mar 14, 2006 11:11 am
Location: Århus, Denmark

Post by asgerhallas »

Well...

When I do this:

Code: Select all

echo exec("convert");
It actually runs without problems and echoes the last line of output.
Whats the difference between exec and shell_exec when it comes to safe mode?

The next strange thing is now that I try this:

Code: Select all

exec("convert test.jpg test.png");
nothing happens... no output, no conversion... nothing...

Any clue anyone?

EDIT: Just until I set the writeing permission for the directory :oops:
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Try using the the full file paths for the images.
asgerhallas
Forum Commoner
Posts: 80
Joined: Tue Mar 14, 2006 11:11 am
Location: Århus, Denmark

Post by asgerhallas »

Got it now via exec(), still can't make it through the safe mode via shell_exec()... but that's ok with me.

Thanks for your help!!!
Post Reply