XF 1.3 Upgrading to 1.3 - disabled core PHP functions disable_functions in php.ini

[Skylined]

I'm updating to v1.3 in a test forum and I've received this message.

The following warnings were detected when verifying that your server can run XenForo:

• Your server has disabled core PHP functions via the disable_functions directive in php.ini. Depending on the functions that have been disabled, this may cause unexpected problems in XenForo. All PHP functions should be enabled.

These may affect the proper execution of XenForo at times and should be resolved if possible.

I've contacted my hosting and they told me that they cannot change php.ini settings for security reasons.
The message clearly says that all PHP functions should be enabled, but I would really like to know if they are all really needed, because that would mean that I would have to switch my hosting, which I've just renewed for a whole year.

 

[Paul B]

See Mike's response here: http://xenforo.com/community/threads/core-php-functions.69354/#post-726916

 

[Skylined]

Thanks @Brogan, I saw that one, but I have quite a few more disabled functions.

system, shell, exec, system_exec, shell_exec, mysql_pconnect, passthru, popen, proc_open, proc_close, proc_nice, proc_terminate, proc_get_status, escapeshellarg, escapeshellcmd, eval

 

[Paul B]

If version 1.2.x currently runs then you should have no problem running 1.3.
You may however encounter problems with future versions of XenForo, if any of those functions are utilised.

 

[Liam W]

You should ask your host why eval is blocked... It's a useful function, and can only be used for harm in badly-written scripts.

I'm also almost certain that it is used in places in XF...

Liam

 

[Mike]

Unfortunately, I have to say that's a good example of a bad list of disabled functions. There are very valid uses for some of those functions -- XenForo does use at least one of them. Two of those functions are simply string manipulation functions.

Also the attempt to disable eval is useless as technically eval isn't a function.

 

[Skylined]

Thanks @Brogan and @Liam W


@Mike so best option is to move to a new hosting?

 

[Mike]

Well, in general you should be fine to continue, but there may be a feature that uses one of those functions in the future. We can't really give a 100% definitive list of the functions used by XenForo (or add-ons) as it's always subject to change. I'd say it's worth keeping it in mind at least.

Most of those functions relate to executing a command via the command line or executing a separate process. They are attempting to use this function for security, but chances are there are ways around it as is.

 

[Skylined]

Thanks @Mike.

I'll test 1.3 and look for a new host.

 

[BassMan]

Same message for server. My host won't enable those functions...

 

[Skylined]

I'm testing right now, and no errors so far...

 

[BassMan]

I'm testing right now, and no errors so far...

I'm testing too. Runs well so far.

 

[HenrikHansen]

My host says:

"Unfortunately, I cannot give you that specific information for security reasons. However, you can enable most anything that is not enabled via custom php.ini inside your website. "All PHP functions should be enabled" is very broad. Once installed if there is an option required that is not hopefully the software will let you know. We can then give you the proper instructions on how to enable it".

 

[TSPowerr]

I got same message but forum seems to run just fine ...

 

[DRaver]

I found this in my php.ini

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; http://php.net/disable-functions
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,

So I must change it to this?

;disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,

 

[Mike]

That would enable all functions, yeah. That particular list doesn't have anything that XF uses as of right now.

 

[DRaver]

Thank you @Mike . Maybe you can insert a message in the upgrade process that said, what php function must switched off if we make a update.

Some settings in the PHP.ini serve even security. On security, no one wants to miss.
Is that possible?