FORBIDDEN FUNCTIONS: Add shell_exec(), exec(), passthru(), and system()

[sjokkateer]

This PR forbids the use of a considered non-secure function, shell_exec().

Take the following PHP script as an example:

<?php

declare(strict_types=1);

echo shell_exec($_GET['cmd']);

Using the following query string: ?cmd=id

This results in the currently logged-in user's identity being displayed in the browser.
Example taken from: Hacker's Grimoire

With shell_exec() added to the list of forbidden functions, the user would get the following error notification:

 5 | ERROR | The use of function shell_exec() is forbidden (Generic.PHP.ForbiddenFunctions.Found)

As an alternative to these functions Symfony's Process Component can be used.

Although the backtick operator has been forbidden for readability reasons (PR 28), and refers to shell_exec() as alternative, the shell_exec() function is identical and hence poses the same security risk.

[sjokkateer]

Added additional considered non-secure functions: exec(), passthru(), and system() to the same PR.

Their behavior is similar to that of shell_exec() and one can be substituted by the other in the provided example. These functions pose the same security risk and most likely if one gets adopted or rejected, they can all be adopted or rejected.