• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Plesk 17.8.11 - PHP value "disable_functions" changed to default value "opcache_get_status"

P

PiyaphanI

New Pleskian
Hello,

My upgrade from Plesk 17.5.3 to 17.8.11.

Plesk 17.8.11 added a box of "disable_functions" to PHP Settings page (all versions) for every subscriptions with only one default value "opcache_get_status".
If you submitted changing anything of subscription and you didn't explicitly enter any functions to disable, then old "disable_functions" for that subscription (including all subdomains) will be replaced with only "opcache_get_status". This's very dangerous because old disabled function for existing websites (system,passthru,exec, and much more) will be removed and can be executed.

Question is,
- Where is default value preset file? I tried to edit at Tools & Settings > PHP Settings but nothing changed. It doesn't sync to service plan and subscription like previous Plesk 17.5 does.

Regards.
 
I managed to remove this setting by typing "none" as the value. Empty values are resetted to opcache_get_status ...
This also works if applied to the service-package. I assume, if you need custom disable-strings, add them in the service plans and let the plans synchronize.
 
I haven't tested with Onyx 17.8, but on my 17.5 installation I set 'disable_functions' directly in the PHP configuration files.

For example:

Code: 
/opt/plesk/php/7.2/etc/php.d/security.ini
 
BastianBalthasarBux said:
I managed to remove this setting by typing "none" as the value. Empty values are resetted to opcache_get_status ...
This also works if applied to the service-package. I assume, if you need custom disable-strings, add them in the service plans and let the plans synchronize.
Click to expand...

Yes, I have to add them to custom directive box at the bottom of PHP Settings page for all service plans.
But this option should not override old PHP Settings and leave our server in danger.
I have used disable_functions in Tools & Settings > PHP Settings and now that directive is useless and make me and maybe some new Plesk user confusing.
 
If you want to override it, no matter what (even custom stuff configured in the Plek Panel for a subscription will no longer apply then) you can simply add an ini file with your configuration options to /opt/plesk/php/x.x/etc/php.d/ and make sure it's loaded last. (name it zzz-customstuff.ini or something like that)

[ php]
disable_functions = "system,passthru,exec"
Click to expand...
 
I was unable to confirm an issue. When you enter the disable_functions into the "additional php directives", this seems to have precedence over the new configuration field "disable_functions". I think that this "disable_functions" field is more an option for users to add additional functions that ought to be disabled. But they cannot override a "disable_functions" setting in the additional PHP directives with it.
PiyaphanI said:
If you submitted changing anything of subscription and you didn't explicitly enter any functions to disable, then old "disable_functions" for that subscription (including all subdomains) will be replaced with only "opcache_get_status".
Click to expand...
Could you please specify an example to reproduce the issue? I would like to be sure that there is no security issue with it.
 
Hi Peter,

This is my settings. / PHP version for testing is 7.2

1. Tools & Settings > PHP Settings > 7.2 > edit PHP.ini > modify value of disable_functions value as "system,exec"
(I've been used this way to disable danger functions for my client, not within Service Plan)
2. Service plan of your selected subscription must use 7.2 and has disable_functions as default value "opcache_get_status".
3. Just enter to that subscription and click "Customize", whether modifying any resource values or just click OK/Apply at the bottom, you will see disable_function for that subscription will be replaced with only "opcache_get_status".
(I've double checked in the file /var/www/vhosts/system/DOMAIN.COM/etc/php.ini)

My three servers upgraded from 17.5 to 17.8 have same results.
Now I have to add disable_functions directive to all Service Plans instead, then try to "Customize" subscription, and It's good for now.
So disable_functions value from Tools & Settings > PHP Settings is now useless.

Now I think we can add disable_functions to
1. Tools & Settings > PHP Settings
2.1 Service Plans > new disable_functions field
2.2 Service Plans > old Additional directives
3.1 Subscription customize page > new disable_functions field
3.2 Subscription customize page > old Additional directives
4.1 Subscription > Website & Domain > PHP Settings > new disable_functions field
4.2 Subscription > Website & Domain > PHP Settings > old Additional directives

This would be nice if Plesk includes all functions from all above places.

If I have any misunderstanding, please let me know. Thanks :)
 
Last edited:
Additional, if I have new disable_functions field as "system,exec" and add disable_functions = "" to bottom Additional directives, as you said, Plesk will use value from only Additional directives and not include value from disable_functions field. So new disable_functions config field is useless and this case subscription is able to use any functions.
 
PiyaphanI said:
sorry, I can't see this file in php.d directory (all PHP version) or have to create?
Click to expand...

Yes, create the file '/opt/plesk/php/x.x/etc/php.d/security.ini' and add your 'disable_functions' to that.

Whilst I can't say I've tested ti in Plesk 17.8, that should apply it globally, as you have said you would like to.

It seems to me that the confusion is about the precedence of the different places you can now set this directive in 17.8. Which ever loads first should take effect. There should be no way to override the 'disable_functions' in a different place, as that would defeat the purpose of it.

Hope that makes some sense..?
 
Gbotica, Yes, it makes sense about the precedence. That makes me confuse too.
Since I used to added 'disable_functions' and all PHP directives in Tools & Settings > PHP Settings for one place and it's globally applied to all subscriptions.
Now in 17.8 there's extra 'disable_functions' field for Service Plan and Subscription with a default value 'opcache_get_status', and Plesk take this precedence. (Not sure about loading first or latest but I think this place is nearest to the domain itself)
So, in my case it's overrided the old value from Tools & Settings > PHP Settings because there's only one value of a directive that can be added to /var/www/vhosts/system/DOMAIN.COM/etc/php.ini.

I think other people may not found this problem if they used to add 'disable_functions' to Service Plan > Plan Name > bottom Additional Directives box, not in Tools & Settings > PHP Settings like I do.
 
I think it would make more sense if Plesk wouldn't completely ignore the "disable_functions" setting from the master php.ini. All the other values from it are respected.
I also tried to set some functions to the subscription plan but they were not applied or inherited from the subscriptions underneath it (btw a service plan is not the best place to change such PHP settings in my opinion).
It would be so much better if Plesk appended the "disable_functions" field values to the ini defaults.
 
Last edited:
Same problem here since Plesk 17.8.11 :
The "disable_functions" set in the php.ini of every PHP version is overridden by the new setting "disable_functions" in PHP Settings (which default value is "opcache_get_status").

I can confirm that whether a custom file is called zzz-customstuff.ini or security.ini in /opt/plesk/php/x.x/etc/php.d/, it seems to do nothing.

I can change this setting through Services Pack but :
- Can't change it for Reseller plans ; Reseller manages their own clients' service plans and can edit them.
- Can't set service plans on Plesk Web Admin edition (10 domains licence), so can't edit this value globally.

I can change "disable_functions" on every domain in "Additional directives for PHP", but only for existing domains. New domains will of course be set to default "opcache_get_status".

To resume, what we would need is :
- Plesk not to ignore the "disable_functions" in master php.ini as it was previously ;
- Or a way to change the default value "opcache_get_status" ;
 
This seems to be a related page about this issue :
Unable to override the default value of "disable_functions" via global php.ini

It seem we can set the default value for the whole server by setting this in /usr/local/psa/admin/conf/panel.ini :
Code: 
[php]
settings.performance.disable_functions.values[] = "opcache_get_status"
settings.performance.disable_functions.default = "opcache_get_status"
settings.performance.disable_functions.custom=true

You can of course replace "opcache_get_status" by what you want to disable here :
Code: 
[php]
settings.performance.disable_functions.values[]="mail,system,exec,opcache_get_status"
settings.performance.disable_functions.values[]="mail,system,opcache_get_status"
settings.performance.disable_functions.default="mail,system,exec,opcache_get_status"
settings.performance.disable_functions.custom=true

Then
plesk bin php_settings --update-all
seems to update every hosting which does not have already an "Additional configuration directives" with "disable_functions" set.

Hope this can work for others users too.

Edit : I have replaced "general" with "performance" in the above lines, or the setting goes to the "Common PHP settings group", and then clients could edit it. With "performance", it stays in the Performance PHP settings group.
 
Last edited:
Hi all,

The "best answer" tagged in this thread doesn't work, as per @Benoit_HaiSoft you need to set it in the panel.ini file to workaround the bug.

Although, I also found that running
Code: 
plesk bin php_settings --update-all
didn't actually apply it to all existing sites, I also had to go into each Service Plan and save and resync all plans.
 
ChristophRo said:
If you want to override it, no matter what (even custom stuff configured in the Plek Panel for a subscription will no longer apply then) you can simply add an ini file with your configuration options to /opt/plesk/php/x.x/etc/php.d/ and make sure it's loaded last. (name it zzz-customstuff.ini or something like that)
Click to expand...
This works perfect on FASTCGI
But how can I get it to work with FPM by apache please?

=== EDIT ===

Found it! Needed to delete this in PHP settings: disable_functions--> " opcache_get_status "
 
Last edited:
You must log in or register to reply here.

Similar threads

nuno.pereira
Question How to change default PHP settings
Replies
4
Views
1K
IgorG
IgorG
T
Resolved Zend OPcache is loaded but not activated
Replies
2
Views
2K
technique-web
T
J
Input do you still need to use disabled_functions with cloudlinux alt-php and cagefs
Replies
1
Views
966
Bitpalast
Bitpalast
E
Resolved Change header email / Apache invalide : AH00526: Syntax error on line 1
Replies
12
Views
2K
Erwan
E
S
Question opcache_get_status(Default)
Replies
2
Views
1K
seabiscuit
S
Back
Top