There are two ways for php to run command-line programs: “exec” and “system” which does nearly the same thing except it also displays the output. It is certainly a security concern, and for that reason the options page should be restricted to wordpress admin’s, and perhaps I need to have a bit more error-checking built-in to the plugin to make sure folks aren’t executing arbitrary command-line code on the servers. I was getting nearly ready to release 1.0.7, but I’ll hold off until I can add in the extra protection. If it isn’t out tonight, it’ll be later this week, as I’m done with my paternity leave tomorrow.
Hummm… now that is a big decision. Get exec out of restriction and hope other plugins don’t have security issue, or disable EWWWW Image Optimizer and stay with crappy images… i mean, i can optimize them localy, but my writers never do it…
Guess i will keep EWWW and hope other plugins don’t have security issues haha
If you’re worried about exec, I think you might want to screen every plugin you install just to see if they are using exec. The rgrep command would do that for you. Something like this:
rgrep exec /yourwebfolder/wp/wp-content/plugins/
or if you don’t have rgrep, this does the same thing:
grep -r exec /yourwebfolder/wp/wp-content/plugins/
Could probably even write it into a cronjob to e-mail the results of that command every so often, just to make sure you don’t miss any.
Also, here’s my plans (so far), let me know if you think this sounds reasonable.
First, I’m going to change the optipng level to a drop-down list, so users can’t type in arbitrary values or add in extra commands.
Second, the plugin will check the paths entered by the user for the various utilities (as much as we can) to try and ensure they aren’t using the fields to execute arbitrary commands, and can’t include additional arguments.
Lastly, I’m thinking about restricting where the can install the utilities. Specifically, I will have the plugin check to see if the binaries are within the web accessible folder, and throw an error if they are. Not sure on this one exactly, but I think it’s generally recommended to have executables that php is running outside of the web folder. The idea is that if someone manages to hack your site and upload a file to your web folder, they can’t use the plugin to execute it.
Let me know if you can think of additional precautions, or if you find other resources on what to be careful of when using exec().
Did the command and the close i think yours is the only one using it 🙂
Unless this is “rfxnum.exec” is also exec… i also saw an “if functions exists curl_exec” on a backup plugin, but i don’t think that counts? I mean… if there is an if, there is an else, right?
About the precautions, i liked it 🙂
so far as I know, rfxnum.exec is probably just the name chosen by someone to for a function to ‘execute’ a particular portion of php code. I’ve worked with curl before, and curl_exec is the command that actually goes and retrieves a web page after you’ve supplied it with various options. Not at all related to the exec() command, so I think you’re definitely safe on all the others.
Great (:
On a side note not related to this particular subject, how do i use optipng so it will optimize all images inside a folder?
I ask because i have been caching gravatars, but gravatar.com don’t optimize them… so.
not sure, you’d want to look for a shell script that would process all the files in a folder, then you could adapt that to run the optipng command over on the FAQ against each image.
Yeah, just found one on Github (:
Thanks again man!
released version 1.0.7 to address security concerns
Updated yesterday 🙂
Must say, your plugin + CloudFlare Pro imagem optimization = awesome.
Thank you for this awesome plugin 🙂
