Make WordPress Core

Opened 3 years ago

Closed 15 months ago

#54780 closed defect (bug) (invalid)

Site Health Info => Returns a fatal error in php 8.0

Reported by: alfredo49's profile alfredo49 Owned by:
Milestone: Priority: normal
Severity: normal Version: 5.8.3
Component: Site Health Keywords: needs-patch php80
Focuses: administration Cc:

Description

Hi:
When i click in info tab inside Site Health screen, fatal error is returned in php 8.0

Fatal error: This function has been disabled for security reasons in /usr/home/xxx/web/wp-admin/includes/class-wp-debug-data.php on line 663

When i roll back to php 7.4, works fine

Attachments (2)

Captura de pantalla 2022-01-10 a las 13.38.47.png (55.1 KB) - added by alfredo49 3 years ago.
screenshot-2022-01-10-14-28.png (66.9 KB) - added by sebastienserre 3 years ago.

Download all attachments as: .zip

Change History (13)

#1 @sebastienserre
3 years ago

Hello,

Thank you for reporting.
I unfortunately do not reproduce on PHP 8.0.14.
Do you reproduce with a built-in theme and non plugins?

#2 @alfredo49
3 years ago

hi!

I try with default wordpress theme and all the plugins deactivate and Fatal error persists.

It happen to me in different wordpress pages.

My php versión is PHP 8.0.13

#3 @SergeyBiryukov
3 years ago

  • Component changed from General to Site Health
  • Focuses administration added

#4 @jrf
3 years ago

  • Keywords php8 added

@alfredo49 This sounds like your webhost is doing something non-standard with the php.ini configuration.

There is nothing which can be done until we know the name of the function which the host has disabled.

Could you check in your hosting admin panel what the value if for the disable_functions ini parameter in the php.ini applicable to your hosting account ?

You may also be able to see this by (temporarily) uploading a file with the following contents to your hosting account:

<?php
phpinfo();

Please do make sure you remove that file from your server again as soon as you finished checking.

#5 @alfredo49
3 years ago

Hi!

No disable_functions in php.ini

disable_functions no value no value

https://ibb.co/7YV7VfD

Line 663 of class-wp-debug-data.php is:

$gs = exec( 'gs --version' );
Last edited 3 years ago by alfredo49 (previous) (diff)

#6 @jrf
3 years ago

@alfredo49 That's weird. I'd recommend contacting your hosting company as they appear to be doing something iffy in that case.

#7 @alfredo49
3 years ago

Hi @jrf

They confirm me "exec" function has been disabled in the server for security reasons in php 8.

Thxs!

#8 follow-up: @costdev
3 years ago

That's strange. There's a function_exists( 'exec' ) condition to prevent line 663 being hit if exec has been disabled. However, a quick google search suggests that on some hosts, a disabled function can return true for function_exists(), yet cannot be called.

@alfredo49 as a test, can you try adding the following to a file and let us know what the output is?

<?php

echo function_exists( 'exec' ) ? 'Function exists.<br>' : 'Function does not exist.<br>';
echo is_callable( 'exec' ) ? 'Function is callable.' : 'Function is not callable.';

#9 in reply to: ↑ 8 @SergeyBiryukov
3 years ago

Replying to costdev:

That's strange. There's a function_exists( 'exec' ) condition to prevent line 663 being hit if exec has been disabled. However, a quick google search suggests that on some hosts, a disabled function can return true for function_exists(), yet cannot be called.

Related: comment:116:ticket:51857:

Per the comments in the PHP manual, function_exists() should return false for functions disabled via disable_functions setting.

As also noted in comment:3:ticket:42085, it is possible for the function_exists() check to return true if Suhosin is in use. However, that would be an edge case, as Suhosin was only officially available for PHP 5.4 to 5.6, and its development was discontinued in 2015.

It's also worth noting that as of PHP 8, disabled functions can be redeclared. Unless the function is redeclared, function_exists() still returns false.

It looks like most of the instances in core where we need to check for a function that might be disabled just use a simple function_exists() check

Version 0, edited 3 years ago by SergeyBiryukov (next)

#10 @hellofromTonya
19 months ago

  • Keywords php80 added; php8 removed

#11 @hellofromTonya
15 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

As previously noted by @costdev and @SergeyBiryukov, the code is guarded by function_exists() and thus should be protected against running exec() when the hosting company disables it.

What about the edge case where function_exists() might return true. As @SergeyBiryukov noted:

As also noted in comment:3:ticket:42085, it is possible for the function_exists() check to return true if Suhosin is in use. However, that would be an edge case, as Suhosin was only officially available for PHP 5.4 to 5.6, and its development was discontinued in 2015.

Core bumped the minimum PHP version to 7.0 during 6.3. Suhosin is for PHP 5, not 7.0.

I think this ticket can be closed. It seems the issue is likely due to something other than Core. Given the age of this ticket and no other reports of the same issue, I'll go ahead and close it.

If however the issue persists today, @alfredo49 please reopen this ticket and share any additional information including some of the tips asked previously. Any information you can provide is helpful for contributors to continue investigating.

Note: See TracTickets for help on using tickets.