Warning: exec() has been disabled for security reasons

Hey,

Thanks for reporting this, the error is safe to ignore as the plugin falls back to using pure PHP methods if exec isn’t available. I’ve just committed a fix to ensure that error won’t show, which will get released in the next version of the plugin.

Thanks!

Ok, I grabbed the changed fixed file from github and it was still complaining so I had to change the code to add the line to set the $return_status variable and set it to 0 and renamed your $return variable to $return_status to make it a bit more obvious

// Can we issue a simple echo command?
Added-> $output = $return_status = 0;
@exec( ‘echo backupwordpress’, $output, $return_status );

if ( 0 !== $return_status ) {
return false;
}

Now that Warning has gone away but now I have another exec related warning showig in the box at the top of the screen. error :

BackUpWordPress detected issues with your last backup.
php: exec() has been disabled for security reasons, <virtual_host_dir>/wp-content/plugins/backupwordpress/classes/backup/class-backup-engine-file-zip.php, 93

So not out of the exec() woods yet ??

Regards Alex Shepherd

Good catch on the undefined variables, I’ve fixed that in the PR. You had the default wrong above though, defaulting them to 0 causes the whole function to return true when it should be returning false if the exec call fails. I fixed that in my PR by defaulting to null instead. That’s why you’re seeing further errors.

I wonder though, by what method is exec actually disabled on your server? If it’s disabled in php.ini with the disable_functions directive then that should be handled above in the is_function_disabled call, you shouldn’t even be hitting the exec( 'echo backupwordpress' ); line. Ideally we’d figure out why is_function_disabled isn’t catching your situation and fix that too.

Ok, I made the change to:

$output = $return_status = null;

And yes the errors have gone now.

I’ll need to check with our system admins to know how the exec() function is being disabled. It’s on a shared Linux hosting cluster so I expect it will be a global setting for all virtual hosts on the servers.

Looking at the output from one of the WordPress phpinfo plugins it lists info about the INI files and it looks like its loading: /etc/php5/virtual/ajsystems.co.nz.ini

Here is the full output:

System Linux shark 3.13.0-77-generic #121~precise1-Ubuntu SMP Wed Jan 20 18:02:20 UTC 2016 x86_64
Build Date Oct 28 2015 01:39:33
Server API CGI/FastCGI
Virtual Directory Support disabled
Configuration File (php.ini) Path /etc/php5/cgi
Loaded Configuration File /etc/php5/virtual/ajsystems.co.nz.ini
Scan this dir for additional .ini files /etc/php5/cgi/conf.d
Additional .ini files parsed /etc/php5/cgi/conf.d/apc.ini, /etc/php5/cgi/conf.d/curl.ini, /etc/php5/cgi/conf.d/gd.ini, /etc/php5/cgi/conf.d/imagick.ini, /etc/php5/cgi/conf.d/imap.ini, /etc/php5/cgi/conf.d/ioncube.ini, /etc/php5/cgi/conf.d/ldap.ini, /etc/php5/cgi/conf.d/mcrypt.ini, /etc/php5/cgi/conf.d/mysql.ini, /etc/php5/cgi/conf.d/mysqli.ini, /etc/php5/cgi/conf.d/odbc.ini, /etc/php5/cgi/conf.d/pdo.ini, /etc/php5/cgi/conf.d/pdo_mysql.ini, /etc/php5/cgi/conf.d/pdo_odbc.ini, /etc/php5/cgi/conf.d/pdo_pgsql.ini, /etc/php5/cgi/conf.d/pdo_sqlite.ini, /etc/php5/cgi/conf.d/pgsql.ini, /etc/php5/cgi/conf.d/pspell.ini, /etc/php5/cgi/conf.d/recode.ini, /etc/php5/cgi/conf.d/suhosin.ini, /etc/php5/cgi/conf.d/tidy.ini, /etc/php5/cgi/conf.d/xmlrpc.ini, /etc/php5/cgi/conf.d/xsl.ini

I’ll confirm what is going on with the system admins as yes it would be good of this could be detected correctly using the library calls.

Regards

Alex Shepherd

Ok here is some more info:

The file /etc/php5/cgi does NOT define any functions – here is the sections:

; This directive allows you to disable certain functions for security reasons.
; It receives a comma-delimited list of function names. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
; https://php.net/disable-functions
disable_functions =

The file: /etc/php5/virtual/ajsystems.co.nz.ini DOES define several functions:

disable_functions = exec shell_exec system passthru popen virtual show_source pclose

However, I do note the comment says ” receives a comma-delimited list of function names” whereas this list is space delimited. So I’m now following up on this as it may well be the cause of the problem?

Ok, I confirmed the problem was the missing comma delimiters in the disable_functions line in the INI file.

Replacing the space delimiters with commas fixed the warning as the library calls can correctly find “exec” in the disable_functions list now. The sys admins are now working to resolve this but this will have been a bug that has been there for many years…

Alex

We’ll want to add support for space-delimited given it still seemed to cause the functions to be disabled. Opened to track https://github.com/humanmade/backupwordpress/issues/994

Hi Guys,

I just checked version 3.4.5 and neither the space or comma delimited handling or the extra protections around the exec call made it into the 3.4.5 release as both were really required.

However I just went and checked the code-base again and it looks like you’ve removed the exec() code and moved to the process() variants to better resolve the issue anyway, so I guess my question is do you have any idea of when this new approach will be ready for release?

Currently I’m manually editing the code to include the space+comma separate line change which solved my immediate issue but be good to get it resolved “properly”

Thanks for all your work

Regards

Alex Shepherd

Hey Alex,

Unfortunately that fix didn’t make it into the 3.4.5 release, it’ll be in 3.5 though which we’re aiming to release very soon.