proc_get_status() has been disabled for security reasons

  • Hi

    I have a problem with the backupwordpress plugin on one specific hosting environment. As soon as I activate the backupwordpress plugin there I get messages like:

    Warning: proc_get_status() has been disabled for security reasons in /home/xxx/domains/www.xxx.com/public_html/wp-content/plugins/backupwordpress/vendor/symfony/process/Process.php on line 1283

    Locally and on another host, it works fine. The hosting environment giving the above messages has the PHP setting ‘disabled_functions’ currently set to:

    system,exec,shell_exec,passthru,proc_get_status,proc_nice,proc_terminate,dl,popen,pcntl_exec

    I can try to remove the proc_get_status there, but I would like to know if this is recommended, as I do not have enough knowledge about the consequences (for security or functionality on other parts of the site) and I can not find anything about this in the plugin instructions or faq. Is there a list of functions that should be removed from disabled_functions for backupwordpress to work properly?

    By the way, this hosting environment has been there for a long time with different people working on it. So the current settings might have evolved to something not very common/consistent. If there is a recommended list for disable_functions, I would be glad to try that.

    Many thanks to anyone giving me a clue,
    Sandra

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor Katrina “Kat” Moody

    (@katmoody)

    You are right that the proc_get_status is causing the issue here, at least according to some local testing I was able to do. I also know that it didn’t use to cause issues but I am not positive if it might be related to a newer PHP version or not.

    I am not used to disabling some of the other options, though. Can you try enabling them one at a time and seeing which ones impact running the backup?

    Sorry for the lateness in replying and hope this information helps in some way!
    Kat

    Thread Starter sandrab

    (@rozijntje)

    Hi Kat,

    Thanks for your reply, much appreciated!

    I removed ‘proc_get_status’ from the disable_functions setting on this server a while ago to get rid of the warnings and have backupwordpress work properly – keeping my fingers crossed this does not open a security hole.

    But when reading your reply I decided to look a bit further into the code of backupwordpress. I found that the check whether to use the Process class or not is done by checking whether proc_open and proc_close exist (classes\backup\class-backup-utilities.php – get_executable_path()).
    The Process class however not only uses proc_open() and proc_close(), but also proc_get_status().

    Would it not make sense to check on all three proc_ functions then?

    I can not try to change the disable_functions on the server to test things there, because it is a production site. But I did try on my local development environment what happens when I have both proc_get_status AND proc_open in my disable_functions and as to be expected, that solves the warnings as well. The backup then falls back to using the class-backup-engine-database-imysqldump and class-backup-engine-file-zip-archive engines.
    My local box is windows, so it might behave a bit different than unix/linux here, but I just wondered if you also think that adding a check on proc_get_status might be logical.

    There is also a call to proc_terminate() in the Process class, but I can not really figure out when this is used or not. And to exec(), which seems to happen only on windows, but I don’t see anything going wrong when I put just ‘exec’ in the disable_functions on my windows box. Apparentely the function in Process using this exec() call is not reached in my situation.

    I assume the other options I have in disable_functions on the server don’t influence this since I don’t see them in the Process class. Locally I don’t have them, and I did not try them either. Do you agree?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘proc_get_status() has been disabled for security reasons’ is closed to new replies.