• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.3 Upgrading to 1.3 - disabled core PHP functions disable_functions in php.ini

Skylined

Active member
#1
I'm updating to v1.3 in a test forum and I've received this message.

The following warnings were detected when verifying that your server can run XenForo:
  • Your server has disabled core PHP functions via the disable_functions directive in php.ini. Depending on the functions that have been disabled, this may cause unexpected problems in XenForo. All PHP functions should be enabled.
These may affect the proper execution of XenForo at times and should be resolved if possible.

I've contacted my hosting and they told me that they cannot change php.ini settings for security reasons.
The message clearly says that all PHP functions should be enabled, but I would really like to know if they are all really needed, because that would mean that I would have to switch my hosting, which I've just renewed for a whole year. :(
 

Skylined

Active member
#3
Thanks @Brogan, I saw that one, but I have quite a few more disabled functions.

system, shell, exec, system_exec, shell_exec, mysql_pconnect, passthru, popen, proc_open, proc_close, proc_nice, proc_terminate, proc_get_status, escapeshellarg, escapeshellcmd, eval
 

Brogan

XenForo moderator
Staff member
#4
If version 1.2.x currently runs then you should have no problem running 1.3.
You may however encounter problems with future versions of XenForo, if any of those functions are utilised.
 

Liam W

Well-known member
#5
You should ask your host why eval is blocked... It's a useful function, and can only be used for harm in badly-written scripts.

I'm also almost certain that it is used in places in XF...

Liam
 

Mike

XenForo developer
Staff member
#6
Unfortunately, I have to say that's a good example of a bad list of disabled functions. There are very valid uses for some of those functions -- XenForo does use at least one of them. Two of those functions are simply string manipulation functions.

Also the attempt to disable eval is useless as technically eval isn't a function.
 

Mike

XenForo developer
Staff member
#8
Well, in general you should be fine to continue, but there may be a feature that uses one of those functions in the future. We can't really give a 100% definitive list of the functions used by XenForo (or add-ons) as it's always subject to change. I'd say it's worth keeping it in mind at least.

Most of those functions relate to executing a command via the command line or executing a separate process. They are attempting to use this function for security, but chances are there are ways around it as is.
 

HenrikHansen

Well-known member
#13
My host says:

"Unfortunately, I cannot give you that specific information for security reasons. However, you can enable most anything that is not enabled via custom php.ini inside your website. "All PHP functions should be enabled" is very broad. Once installed if there is an option required that is not hopefully the software will let you know. We can then give you the proper instructions on how to enable it".
 

DRaver

Active member
#15
I found this in my php.ini

Code:
; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; http://php.net/disable-functions
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
So I must change it to this?
Code:
;disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
 

Mike

XenForo developer
Staff member
#16
That would enable all functions, yeah. That particular list doesn't have anything that XF uses as of right now.
 

DRaver

Active member
#17
Thank you @Mike . Maybe you can insert a message in the upgrade process that said, what php function must switched off if we make a update.

Some settings in the PHP.ini serve even security. On security, no one wants to miss.
Is that possible?