1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.3 Upgrading to 1.3 - disabled core PHP functions disable_functions in php.ini

Discussion in 'Installation, Upgrade, and Import Support' started by Skylined, Mar 11, 2014.

  1. Skylined

    Skylined Active Member

    I'm updating to v1.3 in a test forum and I've received this message.

    I've contacted my hosting and they told me that they cannot change php.ini settings for security reasons.
    The message clearly says that all PHP functions should be enabled, but I would really like to know if they are all really needed, because that would mean that I would have to switch my hosting, which I've just renewed for a whole year. :(
  2. Brogan

    Brogan XenForo Moderator Staff Member

  3. Skylined

    Skylined Active Member

    Thanks @Brogan, I saw that one, but I have quite a few more disabled functions.

    system, shell, exec, system_exec, shell_exec, mysql_pconnect, passthru, popen, proc_open, proc_close, proc_nice, proc_terminate, proc_get_status, escapeshellarg, escapeshellcmd, eval
  4. Brogan

    Brogan XenForo Moderator Staff Member

    If version 1.2.x currently runs then you should have no problem running 1.3.
    You may however encounter problems with future versions of XenForo, if any of those functions are utilised.
  5. Liam W

    Liam W Well-Known Member

    You should ask your host why eval is blocked... It's a useful function, and can only be used for harm in badly-written scripts.

    I'm also almost certain that it is used in places in XF...

  6. Mike

    Mike XenForo Developer Staff Member

    Unfortunately, I have to say that's a good example of a bad list of disabled functions. There are very valid uses for some of those functions -- XenForo does use at least one of them. Two of those functions are simply string manipulation functions.

    Also the attempt to disable eval is useless as technically eval isn't a function.
  7. Skylined

    Skylined Active Member

  8. Mike

    Mike XenForo Developer Staff Member

    Well, in general you should be fine to continue, but there may be a feature that uses one of those functions in the future. We can't really give a 100% definitive list of the functions used by XenForo (or add-ons) as it's always subject to change. I'd say it's worth keeping it in mind at least.

    Most of those functions relate to executing a command via the command line or executing a separate process. They are attempting to use this function for security, but chances are there are ways around it as is.
  9. Skylined

    Skylined Active Member

    Thanks @Mike. :)

    I'll test 1.3 and look for a new host.
  10. BassMan

    BassMan Well-Known Member

    Same message for server. My host won't enable those functions...:unsure:
  11. Skylined

    Skylined Active Member

    I'm testing right now, and no errors so far...
  12. BassMan

    BassMan Well-Known Member

    I'm testing too. Runs well so far.
  13. HenrikHansen

    HenrikHansen Well-Known Member

    My host says:

    "Unfortunately, I cannot give you that specific information for security reasons. However, you can enable most anything that is not enabled via custom php.ini inside your website. "All PHP functions should be enabled" is very broad. Once installed if there is an option required that is not hopefully the software will let you know. We can then give you the proper instructions on how to enable it".
  14. TSPowerr

    TSPowerr Member

    I got same message but forum seems to run just fine ...
  15. DRaver

    DRaver Active Member

    I found this in my php.ini

    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-delimited list of function names. This directive is
    ; *NOT* affected by whether Safe Mode is turned On or Off.
    ; http://php.net/disable-functions
    disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
    So I must change it to this?
    ;disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
  16. Mike

    Mike XenForo Developer Staff Member

    That would enable all functions, yeah. That particular list doesn't have anything that XF uses as of right now.
  17. DRaver

    DRaver Active Member

    Thank you @Mike . Maybe you can insert a message in the upgrade process that said, what php function must switched off if we make a update.

    Some settings in the PHP.ini serve even security. On security, no one wants to miss.
    Is that possible?
    Degrinch and Kerby like this.

Share This Page