• Resolved kiwi64ajs

    (@kiwi64ajs)


    Hi Guys,

    I’ve recently upgraded from version 3.3.4 to 3.4.3 and now I’m getting warnings:

    Warning: exec() has been disabled for security reasons in <my_virtual_host_dir>/wp-content/plugins/backupwordpress/classes/backup/class-backup-utilities.php on line 55

    Warning: Cannot modify header information – headers already sent by (output started at <my_virtual_host_dir>/wp-content/plugins/backupwordpress/classes/backup/class-backup-utilities.php:55) in <my_virtual_host_dir>/wp-includes/option.php on line 820

    Warning: Cannot modify header information – headers already sent by (output started at <my_virtual_host_dir>/wp-content/plugins/backupwordpress/classes/backup/class-backup-utilities.php:55) in <my_virtual_host_dir>/wp-includes/option.php on line 821

    Looking at the is_exec_available() code its the line:

    // Can we issue a simple echo command?
    exec( ‘echo backupwordpress’, $output, $return );

    That is causing the warning.

    I’ve appended some info from phpinfo() if that is useful.

    Regards

    Alex Shepherd

    disable_functions exec shell_exec system passthru popen virtual show_source pclose
    PHP Version 5.3.10-1ubuntu3.21

    System Linux planck 3.13.0-77-generic #121~precise1-Ubuntu SMP Wed Jan 20 18:02:20 UTC 2016 x86_64
    Build Date Oct 28 2015 01:39:33
    Server API CGI/FastCGI
    Virtual Directory Support disabled
    Configuration File (php.ini) Path /etc/php5/cgi
    Loaded Configuration File /etc/php5/virtual/wellwritten.nz.ini
    Scan this dir for additional .ini files /etc/php5/cgi/conf.d
    Additional .ini files parsed /etc/php5/cgi/conf.d/apc.ini, /etc/php5/cgi/conf.d/curl.ini, /etc/php5/cgi/conf.d/gd.ini, /etc/php5/cgi/conf.d/imagick.ini, /etc/php5/cgi/conf.d/imap.ini, /etc/php5/cgi/conf.d/ioncube.ini, /etc/php5/cgi/conf.d/ldap.ini, /etc/php5/cgi/conf.d/mcrypt.ini, /etc/php5/cgi/conf.d/mysql.ini, /etc/php5/cgi/conf.d/mysqli.ini, /etc/php5/cgi/conf.d/odbc.ini, /etc/php5/cgi/conf.d/pdo.ini, /etc/php5/cgi/conf.d/pdo_mysql.ini, /etc/php5/cgi/conf.d/pdo_odbc.ini, /etc/php5/cgi/conf.d/pdo_pgsql.ini, /etc/php5/cgi/conf.d/pdo_sqlite.ini, /etc/php5/cgi/conf.d/pgsql.ini, /etc/php5/cgi/conf.d/pspell.ini, /etc/php5/cgi/conf.d/recode.ini, /etc/php5/cgi/conf.d/sqlite.ini, /etc/php5/cgi/conf.d/sqlite3.ini, /etc/php5/cgi/conf.d/suhosin.ini, /etc/php5/cgi/conf.d/tidy.ini, /etc/php5/cgi/conf.d/xmlrpc.ini, /etc/php5/cgi/conf.d/xsl.ini
    PHP API 20090626
    PHP Extension 20090626
    Zend Extension 220090626
    Zend Extension Build API220090626,NTS
    PHP Extension Build API20090626,NTS
    Debug Build no
    Thread Safety disabled
    Zend Memory Manager enabled
    Zend Multibyte Support disabled
    IPv6 Support enabled
    Registered PHP Streams https, ftps, compress.zlib, compress.bzip2, php, file, glob, data, http, ftp, zip, phar
    Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, tls
    Registered Stream Filters zlib.*, bzip2.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk, mcrypt.*, mdecrypt.*

    https://www.ads-software.com/plugins/backupwordpress/

Viewing 9 replies - 1 through 9 (of 9 total)
  • Plugin Author Tom Willmot

    (@willmot)

    Hey,

    Thanks for reporting this, the error is safe to ignore as the plugin falls back to using pure PHP methods if exec isn’t available. I’ve just committed a fix to ensure that error won’t show, which will get released in the next version of the plugin.

    Thanks!

    Thread Starter kiwi64ajs

    (@kiwi64ajs)

    Ok, I grabbed the changed fixed file from github and it was still complaining so I had to change the code to add the line to set the $return_status variable and set it to 0 and renamed your $return variable to $return_status to make it a bit more obvious

    // Can we issue a simple echo command?
    Added-> $output = $return_status = 0;
    @exec( ‘echo backupwordpress’, $output, $return_status );

    if ( 0 !== $return_status ) {
    return false;
    }

    Now that Warning has gone away but now I have another exec related warning showig in the box at the top of the screen. error :

    BackUpWordPress detected issues with your last backup.
    php: exec() has been disabled for security reasons, <virtual_host_dir>/wp-content/plugins/backupwordpress/classes/backup/class-backup-engine-file-zip.php, 93

    So not out of the exec() woods yet ??

    Regards Alex Shepherd

    Plugin Author Tom Willmot

    (@willmot)

    Good catch on the undefined variables, I’ve fixed that in the PR. You had the default wrong above though, defaulting them to 0 causes the whole function to return true when it should be returning false if the exec call fails. I fixed that in my PR by defaulting to null instead. That’s why you’re seeing further errors.

    I wonder though, by what method is exec actually disabled on your server? If it’s disabled in php.ini with the disable_functions directive then that should be handled above in the is_function_disabled call, you shouldn’t even be hitting the exec( 'echo backupwordpress' ); line. Ideally we’d figure out why is_function_disabled isn’t catching your situation and fix that too.

    Thread Starter kiwi64ajs

    (@kiwi64ajs)

    Ok, I made the change to:

    $output = $return_status = null;

    And yes the errors have gone now.

    I’ll need to check with our system admins to know how the exec() function is being disabled. It’s on a shared Linux hosting cluster so I expect it will be a global setting for all virtual hosts on the servers.

    Looking at the output from one of the WordPress phpinfo plugins it lists info about the INI files and it looks like its loading: /etc/php5/virtual/ajsystems.co.nz.ini

    Here is the full output:

    System Linux shark 3.13.0-77-generic #121~precise1-Ubuntu SMP Wed Jan 20 18:02:20 UTC 2016 x86_64
    Build Date Oct 28 2015 01:39:33
    Server API CGI/FastCGI
    Virtual Directory Support disabled
    Configuration File (php.ini) Path /etc/php5/cgi
    Loaded Configuration File /etc/php5/virtual/ajsystems.co.nz.ini
    Scan this dir for additional .ini files /etc/php5/cgi/conf.d
    Additional .ini files parsed /etc/php5/cgi/conf.d/apc.ini, /etc/php5/cgi/conf.d/curl.ini, /etc/php5/cgi/conf.d/gd.ini, /etc/php5/cgi/conf.d/imagick.ini, /etc/php5/cgi/conf.d/imap.ini, /etc/php5/cgi/conf.d/ioncube.ini, /etc/php5/cgi/conf.d/ldap.ini, /etc/php5/cgi/conf.d/mcrypt.ini, /etc/php5/cgi/conf.d/mysql.ini, /etc/php5/cgi/conf.d/mysqli.ini, /etc/php5/cgi/conf.d/odbc.ini, /etc/php5/cgi/conf.d/pdo.ini, /etc/php5/cgi/conf.d/pdo_mysql.ini, /etc/php5/cgi/conf.d/pdo_odbc.ini, /etc/php5/cgi/conf.d/pdo_pgsql.ini, /etc/php5/cgi/conf.d/pdo_sqlite.ini, /etc/php5/cgi/conf.d/pgsql.ini, /etc/php5/cgi/conf.d/pspell.ini, /etc/php5/cgi/conf.d/recode.ini, /etc/php5/cgi/conf.d/suhosin.ini, /etc/php5/cgi/conf.d/tidy.ini, /etc/php5/cgi/conf.d/xmlrpc.ini, /etc/php5/cgi/conf.d/xsl.ini

    I’ll confirm what is going on with the system admins as yes it would be good of this could be detected correctly using the library calls.

    Regards

    Alex Shepherd

    Thread Starter kiwi64ajs

    (@kiwi64ajs)

    Ok here is some more info:

    The file /etc/php5/cgi does NOT define any functions – here is the sections:

    ; This directive allows you to disable certain functions for security reasons.
    ; It receives a comma-delimited list of function names. This directive is
    ; *NOT* affected by whether Safe Mode is turned On or Off.
    ; https://php.net/disable-functions
    disable_functions =

    The file: /etc/php5/virtual/ajsystems.co.nz.ini DOES define several functions:

    disable_functions = exec shell_exec system passthru popen virtual show_source pclose

    However, I do note the comment says ” receives a comma-delimited list of function names” whereas this list is space delimited. So I’m now following up on this as it may well be the cause of the problem?

    Thread Starter kiwi64ajs

    (@kiwi64ajs)

    Ok, I confirmed the problem was the missing comma delimiters in the disable_functions line in the INI file.

    Replacing the space delimiters with commas fixed the warning as the library calls can correctly find “exec” in the disable_functions list now. The sys admins are now working to resolve this but this will have been a bug that has been there for many years…

    Alex

    Plugin Author Tom Willmot

    (@willmot)

    We’ll want to add support for space-delimited given it still seemed to cause the functions to be disabled. Opened to track https://github.com/humanmade/backupwordpress/issues/994

    Thread Starter kiwi64ajs

    (@kiwi64ajs)

    Hi Guys,

    I just checked version 3.4.5 and neither the space or comma delimited handling or the extra protections around the exec call made it into the 3.4.5 release as both were really required.

    However I just went and checked the code-base again and it looks like you’ve removed the exec() code and moved to the process() variants to better resolve the issue anyway, so I guess my question is do you have any idea of when this new approach will be ready for release?

    Currently I’m manually editing the code to include the space+comma separate line change which solved my immediate issue but be good to get it resolved “properly”

    Thanks for all your work

    Regards

    Alex Shepherd

    Plugin Author Tom Willmot

    (@willmot)

    Hey Alex,

    Unfortunately that fix didn’t make it into the 3.4.5 release, it’ll be in 3.5 though which we’re aiming to release very soon.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Warning: exec() has been disabled for security reasons’ is closed to new replies.