[wp-trac] [WordPress Trac] #37978: Warning: posix_getpwuid() has been disabled for security reasons

WordPress Trac noreply at wordpress.org
Fri Sep 9 18:12:16 UTC 2016


#37978: Warning: posix_getpwuid() has been disabled for security reasons
----------------------------+------------------------------
 Reporter:  AndyDeGroo      |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  Awaiting Review
Component:  Filesystem API  |     Version:  4.6.1
 Severity:  normal          |  Resolution:
 Keywords:                  |     Focuses:
----------------------------+------------------------------

Comment (by AndyDeGroo):

 Replying to [comment:2 dd32]:
 > Can you check to see if your host is running some extra
 security/hardening extensions on PHP?
 >
 > Via https://core.trac.wordpress.org/ticket/37680#comment:18 apparently
 you can use `suhosin.executor.func.blacklist` which disables the function
 in every way, except that `function_exists()` continues to incorrectly
 return true.

 I had read #37680 and comments before creating this one. No, Suhosin is
 not present on this host. However, there is this line in `phpinfo` output:
 `ionCube PHP Loader (enabled) + Intrusion Protection from ioncube24.com
 (unconfigured)`
 I'm no familiar with ionCube intrusion protection.

 There is also `Zend Guard Loader` but that should not be interfering.

 Loaded PHP extensions:
 {{{
 Core, date, ereg, libxml, openssl, pcre, sqlite3, zlib, bz2, calendar,
 ctype, curl, hash, filter, ftp, gettext, gmp, SPL, iconv, pcntl, readline,
 Reflection, session, standard, shmop, SimpleXML, mbstring, tokenizer, xml,
 cgi-fcgi, apcu, bcmath, dom, fileinfo, gd, imap, jsmin, json, exif,
 mcrypt, mysql, mysqli, mysqlnd, PDO, pdo_mysql, pdo_sqlite, Phar, posix,
 sockets, tidy, xmlreader, xmlwriter, xsl, zip, mhash, apc, ionCube Loader,
 Zend OPcache, Zend Guard Loader
 }}}


 > I wonder if maybe it correctly applies to `is_callable()`?

 Unfortunately, `is_callable()` returns `true` for all disabled functions.

 I guess the only failsafe option is to check
 `ini_get('disable_functions')` like it is done in
 [https://core.trac.wordpress.org/browser/tags/4.6.1/src/wp-
 includes/functions.php#L4041 functions.php]

 {{{#!php
 <?php
 strpos( ini_get( 'disable_functions' ), 'posix_getpwuid' )
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37978#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list