0009114: SYSTEM WARNING: escapeshellcmd() has been disabled for security reasons - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0009114	mantisbt	other	public	2008-04-27 08:32	2009-01-15 11:27

Reporter	GregorK	Assigned To	grangeway
Priority	normal	Severity	crash	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.1.1
Fixed in Version	1.2.0a3

Summary	0009114: SYSTEM WARNING: escapeshellcmd() has been disabled for security reasons
Description	Appears when submitting notes or updates to a bug report.
Steps To Reproduce	Add escapeshellcmd to disable_functions in php.ini, which is quite common to be set on hosted servers for security reasons and recommended from various security sites. Add some bug notes..
Additional Information	http://www.mantisbt.org/forums/viewtopic.php?f=3&t=4353
Tags	No tags attached.

giallu 2008-04-28 06:28 reporter ~0017707	From a quick grep in the sources: grep escapeshellcmd * -r core/phpmailer/class.phpmailer.php: $sendmail = sprintf("%s -oi -f %s -t", escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); core/phpmailer/class.phpmailer.php: $sendmail = sprintf("%s -oi -t", escapeshellcmd($this->Sendmail)); so it seems the culprit is in the phpmailer code. Hopefully, we can get rid of that class in the near future...

jehy 2008-12-17 12:13 reporter ~0020384	Still not fixed in 1.1.6 !!!

giallu 2008-12-19 18:35 reporter ~0020436	And I doubt we will fix this in 1.1.x, because replacing phpmailer is a too risky change on the stable branch if you are having this issue, you can workaround it by using one of the alternative mail methods.

grangeway 2008-12-20 17:38 reporter ~0020440	Have added a check for this case to check.php If phpmailer method is sendmail and escapeshell* is disabled, throw up an error. Paul