-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
com() has been disabled for security reasons #79
Comments
me too... my issue occur on windows 2012 hosting IIS 8.5 |
Is there a specific INI directive being used to block COM that we can detect? |
You should be able to parse the disable_functions using |
5f727f8 can anyone confirm this fixes the issue? |
Looks like that might fix it (haven't tested), but it'll also need to check case-insensitive. |
Oh, right. I hadn't even considered that. |
Um ... this can't possibly work, because the setting is called 'disable_classes' (only a single 'd' in it). Also,
As a side note, I always use |
This disabled check seems a bit like it needs an actual proper check, spelled out explicitly, rather than some half-checks and resorting to regular expressions. Something like this might help spell it out a bit clearer. Rename the function or inline the basic logic of it, if you like. But it should be spelled out so as to be clear what is occurring. // input: class name
// output: true if class exists and is enabled, false otherwise
function is_class_disabled( $class ) {
$disabled_classes = @ini_get("disable_classes");
if (empty($disabled_classes) == false) {
$disabled_classes = explode(',', $disabled_classes);
$disabled_classes = array_map('trim', $disabled_classes);
$disabled_classes = array_map('strtolower', $disabled_classes);
return (class_exists($class) == true && array_search($class, $disabled_classes) === false);
}
return class_exists($class);
} |
You say that like using regular expressions is a bad thing ... they are not evil and this one is dead simple. |
I agree that having an explicit check would be a good thing in general, but writing a helper function that will only, in our library, ever be used exactly once isn't really that helpful. It doesn't reduce code duplication at all. I tagged 1.1.4 with your suggested fix @narfbg. |
Great. Although, you may want to reconsider doing quick releases in that fashion and allow a few days time for peer review. :) |
I agree with @narfbg. Release tags are being made a little too quickly. It would be a good idea to hold off tagging future releases until bug fixes/changes are verified. |
Noted, I'll be less trigger happy about patch version releases in the future. |
Does the latest patch mitigate this issue completely? |
@paragonie-scott Although I've not tested it directly on a COM-enabled server, I've been unable to find a flaw in the logic, if that helps at all. |
problem fixed. tested on COM-enabled server (windows 2012 hosting IIS 8.5) |
Excellent news. Thanks @Otto42 for reporting this and everyone for testing the fixes. |
After the release of 4.4, we received this report in the forums:
https://wordpress.org/support/topic/issue-after-updating-to-44
Warning: com() has been disabled for security reasons in D:...\wordpress\wp-includes\random_compat\random.php on line 94
Looks like some servers disable this via the INI file. Maybe a check to prevent a warning here is in order.
The text was updated successfully, but these errors were encountered: