• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs mod_php showing outputting warnings in HTML while display_errors Off

S

StéphanS

Regular Pleskian
TITLE:
mod_php showing outputting warnings in HTML while display_errors Off
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk Onyx 17.5, x64, Ubuntu 14.04 Trusty / CloudLinux 6.8
PROBLEM DESCRIPTION:
Hi,

after upgrading both servers from Plesk 12.5 to Plesk 17.5
We were contacted by our customers that their sites started showing PHP Warnings in the web browser.

When looking into this, it seems that Apache configs have been changed to now include
"php_admin_value error_reporting xxxxx"

:

<IfModule sapi_apache2.c>
php_admin_flag engine on

# General settings
php_admin_flag safe_mode off
php_admin_value open_basedir none
php_admin_value error_reporting 22519
# Performance settings
# Additional directives

</IfModule>

<IfModule mod_php5.c>
php_admin_flag engine on

# General settings
php_admin_flag safe_mode off
php_admin_value open_basedir none
php_admin_value error_reporting 22519
# Performance settings
# Additional directives

</IfModule>

<IfModule mod_php7.c>
php_admin_flag engine on

# General settings
php_admin_flag safe_mode off
php_admin_value open_basedir none
php_admin_value error_reporting 22519
# Performance settings
# Additional directives

</IfModule>​
STEPS TO REPRODUCE:
Create a basic PHP site

and place following file into it:

error.php

<?php
trigger_error("test", E_USER_WARNING);
?>


Set PHP settings to Apache mod_php and set display_errors to Off (or 0).


This warning should not be displayed via HTML.
And yet it is.​
ACTUAL RESULT:
PHP Errors and Warnings are displayed through HTML.​
EXPECTED RESULT:
PHP Errors and Warnings should only be logged to error_log when display_errors is set to Off (or 0).​
ANY ADDITIONAL INFORMATION:
Fixes:

sed -i.bak '/php_admin_value error_reporting/d' /var/www/vhosts/system/domain.tld/conf/httpd.conf && service httpd restart || service apache2 restart #remove these php_admin_value settings


Possible other fix (stops Errors and Warnings from displaying in HTML as well):

php_admin_value error_reporting "E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED"
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
From developer:

Was not able to reproduce. Here is what I did:

1. Created a webpage with the aforementioned content:

<?php
trigger_error("test", E_USER_WARNING);
echo ini_get('display_errors');
?>

2. Enabled mod_php5, set the corresponding handler for the domain, set display_errors to "off".

When the webpage is accessed via browser, following directives is created in the Apache configuration:

php_admin_value open_basedir "/var/www/vhosts/qwe.tld/:/tmp/"
php_admin_value error_reporting 32767

However, "display_errors" is still managed by php.ini, and no output presented in the browser.
----------
When "display_errors" turned on via Plesk, the following output is displayed when the webpage accessed:

Warning: test in /var/www/vhosts/qwe.tld/httpdocs/index.php on line 2
1

Disabling "display_errors" via Plesk removes PHP warning from the page again.
 
Hi,

the issue was traced back to ExpressionEngine using an ExceptionHandler and outputting the captured errors/warnings/notices/etc into the HTML itself.
This functionality was created to be able to log to alternative mechanism then php error log, eg. for when the customer has no access to these, they can log to httpdocs/error.log aswell.
They do this based on the error_reporting() set.

The logic to show errors or not, is defined as:

if (($severity & error_reporting()) == $severity)
{
$_error->show_php_error($severity, $message, $filepath, $line);
}


Where $severity is one of the predifined constants listed here: PHP: Predefined Constants - Manual
2 == E_WARNING

The & operator in PHP is a Bitwise "And" Operator PHP: Bitwise Operators - Manual
And will output the matching bits between $severity and error_reporting() .



The new setting in vhost httpd.conf:

Code: 
php_admin_value error_reporting 22519


efectively disables the CMS from setting error_reporting via their internal debugging function:


PHP: 
/*
 * --------------------------------------------------------------------
 *  Set the error reporting level
 * --------------------------------------------------------------------
 */
        if (DEBUG == 1)
        {
                error_reporting(E_ALL);
                @ini_set('display_errors', 1);
        }
        else
        {
                error_reporting(0);
        }



If ExpressionEngine is unable to set error_reporting() to 0 it will always be the default 22519
2 & 22519 will output 2

and thus (($severity & error_reporting()) == $severity) will equate to true and errors/warnings.notces/etc will always be shown in HTML!

So why is the httpd conf in Plesk 17.5 now using:
Code: 
php_admin_value error_reporting 22519
?

This makes no sense and cripples the CMS from overriding this in any way..
Please give more info on why this value was "locked" by using the php_admin_value directive or otherwise consider removing this from Plesk again as it was not present in Plesk 12.5 and cripplies all Expression Engine sites running on mod_php!



FastCGI does not have this value "locked" in any way and allows PHP code to set the error_reporting() values:


test.php

PHP: 
<?php
echo "Running PHP as: " . php_sapi_name() . "</br>" . PHP_EOL;
echo "Regular error_reporting return function: " . error_reporting() . "</br>" . PHP_EOL;
echo "Suppressed error_reporting return function: " . @error_reporting() . "</br>" . PHP_EOL;
echo "Setting error_reporting to 0 via error_reporting(0)" . "</br>" . PHP_EOL;
error_reporting(0);
echo "error_reporting value is: " . error_reporting() . "</br>" . PHP_EOL;
echo "Setting error_reporting to 0 via @error_reporting(0)" . "</br>" . PHP_EOL;
@error_reporting(0);
echo "error_reporting value is: " . error_reporting() . "</br>" . PHP_EOL;
?>


The Good:

Code: 
Running PHP as: cgi-fcgi
Regular error_reporting return function: 22519
Suppressed error_reporting return function: 0
Setting error_reporting to 0 via error_reporting(0)
error_reporting value is: 0
Setting error_reporting to 0 via @error_reporting(0)
error_reporting value is: 0


The Desired (mod_php without php_admin_value error_reporting):

Code: 
Running PHP as: apache2handler
Regular error_reporting return function: 22527
Suppressed error_reporting return function: 0
Setting error_reporting to 0 via error_reporting(0)
error_reporting value is: 0
Setting error_reporting to 0 via @error_reporting(0)
error_reporting value is: 0


The Ugly (mod_php with php_admin_value error_reporting 22519):

Code: 
Running PHP as: apache2handler
Regular error_reporting return function: 22519
Suppressed error_reporting return function: 0
Setting error_reporting to 0 via error_reporting(0)
error_reporting value is: 22519
Setting error_reporting to 0 via @error_reporting(0)
error_reporting value is: 22519
 
You must log in or register to reply here.

Similar threads

B
Issue 413 Request Entity Too Large
Replies
2
Views
5K
esfahanhost
E
Bitpalast
WP Toolkit cloning fails, same symptoms as in EXTWPTOOLK-456 (formerly resolved 03/31/2017)
Replies
10
Views
2K
Bitpalast
Bitpalast
Edward Dekker
Forwarded to devs Problem with configuration of php-fpm module
Replies
1
Views
1K
IgorG
IgorG
T
Question Apache 2.4 - every page in my site works, expect home
Replies
3
Views
3K
ahmad314
A
G
httpd.conf Domain/subdomain
Replies
13
Views
2K
GenXRoad
G
Back
Top