Problem with DA-PEAR

nimafire

nimafire

Verified User
Joined
Aug 10, 2008
Messages
249
hello.
i have install it but when i eant to use it:

Notice: Undefined variable: output in /usr/local/directadmin/plugins/pear/user/index.html on line 29 Warning: exec() has been disabled for security reasons in /usr/local/directadmin/plugins/pear/user/index.html on line 29 Notice: Undefined variable: output in /usr/local/directadmin/plugins/pear/user/index.html on line 30
 
So you're writing that Pear requires exec() enabled and you don't want to enable exec() so you can't run Pear, but you want to run Pear, but ...

How many times should we go around in this circle :) ?

Jeff
 
Well, I think that a Pear DA plugin shouldn't require the exec() function; I don't see any reason for it.
Any developer should avoid using functions at VERY high security risk if they can.

I don't have that plugin, but if you paste line 29 of /usr/local/directadmin/plugins/pear/user/index.html I will be happy to find any valuable replacement, if possible.

My 2 cents.
 
tillo said:
Well, I think that a Pear DA plugin shouldn't require the exec() function; I don't see any reason for it.
Any developer should avoid using functions at VERY high security risk if they can.

I don't have that plugin, but if you paste line 29 of /usr/local/directadmin/plugins/pear/user/index.html I will be happy to find any valuable replacement, if possible.

My 2 cents.
Click to expand...
You can download it from our website. Actually we can modify the plugin to use its own php.ini, just like other plugins of ours. But as not much user use it and report bugs to us, we have not update it for a long time.

Sounds like you are a experienced developer. Except calling pear from the command line, please suggest any other method to find the installed pear packages as well as listing the detailed info of a specific paackage.
 
I downloaded the plugin and seen that you just need to enumerate the installed packages and retrieve their info data.

Exactly as this program does (together with many other things): http://pear.php.net/package/PEAR_Frontend_Web/download

I've searched for any occurrence of "exec", "shell", "system" or "popen" in that code:
Code: 
tillo@pctillo ~/PROGRAMMI/PEAR_Frontend_Web-0.7.3 $ grep -R -e popen -e exec -e shell -e system .
./pearfrontendweb.php:    // TODO: doesn't work yet ! There is no way to find the system config
tillo@pctillo ~/PROGRAMMI/PEAR_Frontend_Web-0.7.3 $
As you can see, they have been concerned about security.

The bottom line is that it is perfectly possible to retrieve any information (AND execute any command, like build/install/remove) about PEAR packages through their exporting library: see this in the main php file:
Code: 
require_once 'PEAR/Frontend.php';
require_once 'PEAR/Command.php';

Unfortunately I've no time to help you more then that :( sorry.
I hope (for nemafire) that you will take a moment to make the script non-dependent on exec().

Oh, and another interesting thing:
Code: 
tillo@less:~$ file /usr/local/php5/bin/pear
/usr/local/php5/bin/pear: Bourne shell script text executable
tillo@less:~$ tail -n 1 /usr/local/php5/bin/pear
exec $PHP -C -q $INCARG -d output_buffering=1 -d variables_order=EGPCS -d open_basedir="" -d safe_mode=0 -d register_argc_argv="On" -d auto_prepend_file="" -d auto_append_file="" $INCDIR/pearcmd.php "$@"
tillo@less:~$ locate pearcmd.php
/usr/local/lib/php/pearcmd.php
The pear binary you are executing... it's just a script launching another PHP script :D maybe you can include that, don't know.
 
Last edited:
Thanks for the information.

I have to trace back to the methods in Registry.php
It loops through /usr/local/lib/php/.registry/, a path that I didnt know frankly, to get the installed packages. It then retrieves information of a specific package from pear.php.net, which is not the way I want.

But if we can specify a custom php.ini, I dont see any reason to do things in a hard way. Enabling exec() etc can be a security issue in a public system and I have never done so in other projects. but the plugin will only be executed within DA and under the user's permission, which implies that he cant do anything harm to the server.
 
TNX from your Reply.
so is it safe to install and enable exec() in share host server?
 
You must log in or register to reply here.
Back
Top