1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Core PHP Functions?

Discussion in 'Server Configuration and Hosting' started by The Sandman, Feb 25, 2014.

  1. The Sandman

    The Sandman Well-Known Member

    I'm doing the upgrade from XenForo 1.3.0 Beta 4 to Release Candidate 1. This is the first time I'm installing/upgrading XenForo on the new server, and I received the following warning message:

    Which functions does this refer to?
  2. RoldanLT

    RoldanLT Well-Known Member

    You must remove all your disabled function.
  3. RoldanLT

    RoldanLT Well-Known Member

    If I remember correctly, @Mike suggested it before.
  4. Brogan

    Brogan XenForo Moderator Staff Member

    You have just moved servers, hence why you are seeing this now and not for previous 1.3 releases.

    As the message states, enable the PHP functions.
    @MattW should be able to sort that for you.
  5. The Sandman

    The Sandman Well-Known Member

    I did get a message from XenForo when upgrading on the old server as well. It went something like:
    Enabling the functions isn't a problem - I'm just wondering if there is a list of what XenForo considers to be the required core PHP functions for it to work properly.
  6. Brogan

    Brogan XenForo Moderator Staff Member

  7. HittingSmoke

    HittingSmoke Active Member

    Upload a PHPinfo page on your server.

    Either PHP is running in safe mode or there are manually disabled functions in php.ini. The phpinfo output will tell you which this is. Just ctrl+f for safe_mode and disable_functions. You will be able to see exactly what config options are set that disable what functions.

    Depending on your hosting config you may not be able to change this. Some shared hosts force PHP to run with disabled functions in a misguided security precaution.
  8. Brogan

    Brogan XenForo Moderator Staff Member

    No need to upload phpinfo - it's already available from the ACP Tools menu.
  9. whynot

    whynot Well-Known Member

    Where exactly is it?
  10. estranged

    estranged Well-Known Member

    I'm getting the same warning while upgrading and I was thinking about this.

    show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen

    These are the disabled php functions on my server and I don't think it is a good idea to enable them on a shared server.

    Which ones does xenforo need exactly in order to function properly?
  11. The Sandman

    The Sandman Well-Known Member

    I spoke with WiredTree and they told me than the only disabled core functions were: curl, enchant, snnp library, pgsql, and system time zone. They apparently believe there is good reason for these to be disabled. Does XenForo require any of these functions to work properly?
    Last edited: Feb 25, 2014
  12. RoldanLT

    RoldanLT Well-Known Member

  13. whynot

    whynot Well-Known Member

    Thank you, it works.
    Just wondering: any visible-clickable link to arrive there?
  14. RoldanLT

    RoldanLT Well-Known Member

    whynot likes this.
  15. p4guru

    p4guru Well-Known Member

    Xenforo needs system function
  16. p4guru

    p4guru Well-Known Member

    Xenforo needs system, shell_exec, passthru, exec
  17. Sheratan

    Sheratan Well-Known Member

    I have shell_exec and exec disables in my dev server yet xenforo running smoothly.
  18. p4guru

    p4guru Well-Known Member

    i'm just searching through xenforo code so that's what i am basing my statement on :)
  19. Stuart Wright

    Stuart Wright Well-Known Member

    I'm getting
    Tim @ Nimbus says these are the only disabled functions in PHP and are disabled by default:
    system, proc_open, parse_ini_file, show_source
    I wish the above message was more specific.
  20. Mike

    Mike XenForo Developer Staff Member

    It simply displays if any functions are disabled. There are no functions that are disabled in the default PHP configuration, though different distributions might disable certain functions.

    For example, your disabled functions are a bit strange:
    • system is similar to running something from the command prompt so I can sort of understand the idea, but there are a ton of other functions that do this too (not to mention that PHP can likely do anything bad itself).
    • proc_open is similar to system, but the other functions that do this mean that disabling is pointless.
    • parse_ini_file does what it says -- disabling this seems equivalent to disabling a function like fgetscsv.
    • show_source is an alias of highlight_file so the disable likely doesn't work for that anyway. Regardless, there's nothing to prevent someone from simply reading the file directly (and running highlight_string if they want highlighting).
    I should also note that I have used these functions before in my career for completely legitimate things. Disabling functions provides no real security, but instead gets in the way of legitimate code.
    Steve F and Floren like this.

Share This Page