Skip to content

hardening: remove /bin/sh fallback from alert command execution path #257

New issue
New issue
Open
#275
Open
hardening: remove /bin/sh fallback from alert command execution path#257
#275
@somethingwithproof

Description

@somethingwithproof
somethingwithproof
opened on Mar 6, 2026

Summary

Alert command execution currently falls back to shell invocation (/bin/sh) for non-executable first token.

Evidence

functions.php:

  • around 1523-1534
  • around 1583-1594

Behavior:

  • if first token is executable: exec($command, ...)
  • else: exec('/bin/sh ' . $command, ...)

Risk

Expands command-injection/blast-radius profile and makes execution semantics harder to reason about.

Expected fix

  • Remove shell fallback path
  • Execute only explicitly allowed executable/script targets
  • Prefer fixed argv construction over shell command strings
  • Surface clear error when command is invalid

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions