Skip to Content
avatar image
Former Member

FM SUBST_GET_FILE_LIST no longer available in Release 702 ?

We are in the process of upgrading to ECC 6 Release 702. In the new release, the standard Function Module SUBST_GET_FILE_LIST (which is used to get a list of files on an application server directory), has all its code commented out and replaced by a single statment "raise ACCESS_ERROR".

There is an SAP "security" note 1555144 which mentioned FM SUBST_GET_FILE_LIST as a security risk and recommends that FM SUBST_GET_FILE_LIST be disabled using the "raise ACCESS_ERROR" statement. However, there seems to be no mention of an alternative FM or method that can be used to work around the security issue. There is really nothing to stop us from creating our own custom Z version of the FM, but then the security issue will still be there.

Has anyone else out there come across this issue and if so what was your approach in working around this ?

Thanks in advance.


Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 27, 2011 at 01:55 AM





    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi all

      Interesting conversation 😊

      We run into this same issue earlier this year when we did on ERP EHP5 upgrade for our client. At the moment we have a temporary solution to this, but that must replaced soon.

      We asked SAP about this SUBST_GET_FILE_LIST function, and in short the answer was, well, you should not have used it because the status of that function module is Not Released. Fair enough, we really should not have used that since like they said, 'Not Released' basically means it is for internal use and they can and will change those function modules when and how they want, like they just did with this FM.

      So, we asked if they have replacement for that FM. Answer was a reference to a note which tells us what is consulting and what is OSS case, meaning, either that they won't tell or they don't have a replacement.

      We then searched and searched and found few nice candidates for replacement, also the ones mentioned here. But the problem with all of this function modules is the same, the status of them is 'Not Released'. Our client does not want to replace one burned function module with another 'Not Released' function module (and to be honest, neither do I), so we are in a limbo at the moment.

      We do have some ideas (create our own function module which would use external command the read files etc.) but I really find it strange that there does not seem to be an official solution for this. Well, maybe when more and more clients upgrade to Netweaver 7.02, maybe then something happens.


  • May 28, 2013 at 04:43 AM

    I'm in almost the same situation now, the difference being that I still have the f.m. active.

    I used it precisely after finding out that EPS_GET_DIRECTORY_LISTING did those authority checks. I had a couple of other alternatives but as it has also been mentioned, those don't provide an option to filter out the results from the start. They get ALL the files and afterwards filter by pattern, which is time consuming.

    Also, all these suffer from the same problem, which is the really short length of the parameters.

    So, did anyone find a better solution / replacement?

    Add comment
    10|10000 characters needed characters exceeded