Fatal error in gateway settings if function `escapeshellarg()` is undefined

[rvdsteege]

From customer:

Fatal error: Uncaught Error: Call to undefined function Pronamic\WordPress\Pay\Gateways\IDealAdvancedV3\escapeshellarg() in /wp-content/plugins/pronamic-ideal/vendor/wp-pay-gateways/ideal-advanced-v3/src/Integration.php:285

The program execution functions (like escapeshellarg()) are probably disabled in the hosting environment for security reasons.

• https://www.php.net/manual/en/ref.exec.php

Internal Help Scout ticket: https://secure.helpscout.net/conversation/2088187850/24884

[remcotolsma]

Indeed seems to be done by hosting suppliers:

Turns out the function escapeshellarg() was disabled by the hosting provider. Thank you Nico for your help!

https://stackoverflow.com/a/72071053

Best one I could found is this :

Protect your website from Hacking using this php.ini By Mauritania Attacker

safe_mode = On
disable_functions = "ln, cat, popen, pclose, posix_getpwuid, posix_getgrgid, posix_kill, parse_perms, system, dl, passthru, exec, shell_exec, popen, proc_close, proc_get_status, proc_nice, proc_open, escapeshellcmd, escapeshellarg, show_source, posix_mkfifo, mysql_list_dbs, get_current_user, getmyuid, pconnect, link, symlink, pcntl_exec, ini_alter, pfsockopen, leak, apache_child_terminate, posix_kill, posix_setpgid, posix_setsid, posix_setuid, proc_terminate, syslog, fpassthru, stream_select, socket_select, socket_create, socket_create_listen, socket_create_pair, socket_listen, socket_accept, socket_bind, socket_strerror, pcntl_fork, pcntl_signal, pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled, pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, openlog, apache_get_modules, apache_get_version, apache_getenv, apache_note, apache_setenv, virtual, chmod, file_upload, delete, deleted, edit, fwrite, cmd, rename, unlink, mkdir, mv, touch, cp, cd, pico"
safe_mode_gid = On
open_basedir = On
register_globals = Off
exec = Off
shell_exec = Off
allow_url_fopen = Off
allow_url_include = Off

https://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/#comment-94548

---

disable_functions string This directive allows you to disable certain functions. It takes on a comma-delimited list of function names.

Only internal functions can be disabled using this directive. User-defined functions are unaffected.

This directive must be set in php.ini For example, you cannot set this in httpd.conf.

https://www.php.net/manual/en/ini.core.php#ini.disable-functions

Do we now have to check every PHP function if it is available? 🙈

https://github.com/php/php-src/blob/c5ab72773def874aecdf28679699bd3a9344ccfb/ext/standard/exec.c#L387-L469

[rvdsteege]

Do we now have to check every PHP function if it is available?

No, only the ones we use 😜

As we can expect the escapeshellarg() function to be disabled on some hosts, I thought it would be nice to handle that case and prevent the fatal error. An other option would be to not mention the shell commando at all if the required function is not available.

[remcotolsma]

Discussed on Slack, we will not mention the shell commando if escapeshellarg() is unavailable. The openssl commando we display is just a handy help tool, not required. Also hosting providers should not block escapeshellarg(), i don't see how this can help to protect a website.