Summary
Alert command execution currently falls back to shell invocation (/bin/sh) for non-executable first token.
Evidence
functions.php:
- around
1523-1534
- around
1583-1594
Behavior:
- if first token is executable:
exec($command, ...)
- else:
exec('/bin/sh ' . $command, ...)
Risk
Expands command-injection/blast-radius profile and makes execution semantics harder to reason about.
Expected fix
- Remove shell fallback path
- Execute only explicitly allowed executable/script targets
- Prefer fixed argv construction over shell command strings
- Surface clear error when command is invalid
Summary
Alert command execution currently falls back to shell invocation (
/bin/sh) for non-executable first token.Evidence
functions.php:1523-15341583-1594Behavior:
exec($command, ...)exec('/bin/sh ' . $command, ...)Risk
Expands command-injection/blast-radius profile and makes execution semantics harder to reason about.
Expected fix