diff --git a/SETUP/ci/check_security.php b/SETUP/ci/check_security.php
index fdf2abe55..f1c95c638 100755
--- a/SETUP/ci/check_security.php
+++ b/SETUP/ci/check_security.php
@@ -7,14 +7,6 @@
$basedir = $argv[1] ?? "../../";
-// List of files that can contain system/exec calls
-// TODO: Likely few or none of these should contain the calls either --
-// opting for Symfony Process() instead -- but this ensures that no
-// others are added from the current set until they get updated.
-$ok_system_calls = [
- "pinc/upload_file.inc",
-];
-
// List of files that can contain mysqli_error() calls
$ok_mysqli_error_calls = [
"pinc/DPDatabase.inc",
@@ -48,7 +40,7 @@
}
// No file should include a system call (use Symfony Process instead)
- if (file_includes_system_call("$basedir/$file") && !in_array($file, $ok_system_calls)) {
+ if (file_includes_system_call("$basedir/$file")) {
abort($file, "file includes system(), exec(), passthru(), shell_exec(), or escapeshellcmd()");
}
diff --git a/pinc/upload_file.inc b/pinc/upload_file.inc
index 1d75bdb2d..21578d1ad 100644
--- a/pinc/upload_file.inc
+++ b/pinc/upload_file.inc
@@ -9,6 +9,8 @@
// with name='uploaded_file' Then validate_uploaded_file()
// can be used to process the upload.
+use Symfony\Component\Process\Process;
+
define("RESUMABLE_UPLOAD_SIZE", 1024 * 1024 * 1024); // 1GB
/**
@@ -262,13 +264,10 @@ function virus_check($file_path, $verbose)
// perform '$antivirus_executable -- ' and expect return
// value = 0. we use -- to not parse any further arguments starting
// with -/-- as options
- $av_test_result = [];
- $av_retval = 0;
-
- $cmd = "$antivirus_executable -- " . escapeshellarg($file_path);
- exec($cmd, $av_test_result, $av_retval);
- // $av_retval == 0 is ok
- if ($av_retval == 1) {
+ $process = new Process([$antivirus_executable, "--", $file_path]);
+ $av_retval = $process->run();
+ $av_test_result = explode("\n", $process->getOutput());
+ if (!$process->isSuccessful()) {
// Log the infected upload so that we can track user/frequency
$reporting_string = "upload_file.inc - Infected upload: " . $av_test_result[0];
error_log($reporting_string);