EWWW Image Optimizer
[resolved] exec calls should use escapeshellarg (6 posts)

  1. Artem Livshits
    Posted 1 year ago #

    exec calls should use the escapeshellarg function to escape arguments, so that paths and names won't get interpreted by the shell and lead to confusion or even security issues (shell injection).

    Here is an example of the patch for jpg optimization code (other exec calls need to be fixed in a similar manner):

    --- a/wordpress/wp-content/plugins/ewww-image-optimizer/ewww-image-optimizer.php
    +++ b/wordpress/wp-content/plugins/ewww-image-optimizer/ewww-image-optimizer.php
    @@ -1747,9 +1747,9 @@ function ewww_image_optimizer($file, $gallery_type, $converted, $resize) {
     					$copy_opt = 'all';
     				// run jpegtran - non-progressive
    -				exec("$nice " . $tools['JPEGTRAN'] . " -copy $copy_opt -optimize -outfile $tempfile $file");
    +				exec("$nice " . $tools['JPEGTRAN'] . " -copy $copy_opt -optimize -outfile " . escapeshellarg($tempfile) . " " . escapeshellarg($file));
     				// run jpegtran - progressive
    -				exec("$nice " . $tools['JPEGTRAN'] . " -copy $copy_opt -optimize -progressive -outfile $progfile $file");
    +				exec("$nice " . $tools['JPEGTRAN'] . " -copy $copy_opt -optimize -progressive -outfile " . escapeshellarg($progfile) . " " . escapeshellarg($file));
     				// check the filesize of the non-progressive JPG
     				$non_size = filesize($tempfile);
     				// check the filesize of the progressive JPG


  2. nosilver4u
    Plugin Author

    Posted 1 year ago #

    I've worked through this with some core wordpress devs in the past, but you bring it up again at an opportune time.

    As far as security goes, there is no threat here, as we take extensive measures to make sure that the image we are dealing with is, in fact, an image, and the user is not permitted to modify the paths at any point.

    Your other concern about odd characters messing up the shell seems plausible though. In the past, this was not an issue, since the 'args' are simply file paths that WP has generated, and WP pretty much takes care of any weirdness for us (so far as I've seen). However, recent developments are making this much more of a real concern, since we will be attempting to optimize any folder that the user provides within the root WP folder (again after extensive validation). Validation aside, it is possible that the user has manually uploaded images with 'odd' characters, or that some other plugin may not be using the built-in WP filename generation functions. I'll work on this for the next release, and we'll kill the security concerns at the same time.

  3. Artem Livshits
    Posted 1 year ago #

    Verified as fixed in 1.7. Thank you!

  4. Cavor
    Posted 1 year ago #

    Since last version (1.7.1), I have this problem with WordPress Popular Posts, never before...

    Warning: escapeshellarg() has been disabled for security reasons in /wp-content/plugins/ewww-image-optimizer/ewww-image-optimizer.php on line 1806

    Warning: escapeshellarg() has been disabled for security reasons in /wp-content/plugins/ewww-image-optimizer/ewww-image-optimizer.php on line 1808

  5. Cavor
    Posted 1 year ago #

    I have deleted escapeshellarg of disable_function list in my php.ini and now it works, sorry for this message ;-)

  6. nosilver4u
    Plugin Author

    Posted 1 year ago #

    Yeah, you definitely don't want that function disabled, as it is a security mechanism, not a security risk.

Topic Closed

This topic has been closed to new replies.

About this Plugin

  • EWWW Image Optimizer
  • Frequently Asked Questions
  • Support Threads
  • Reviews

About this Topic


No tags yet.