Re: Log error full of -> 8192: preg_replace()

Timelord2067 · August 17, 2014, 10:54:41 PM

Quote from: mcblaber on January 01, 2014, 05:26:47 PM
Do not use SMF2.0 and php 5.5.x for the time being. It's known issue/bug. Not sure if it will be getting patched in SMF2.0 but it will definitely be fixed in 2.1. So I'd advise going with php 5.4.20.

/issues/459

Hi - I've installed SM V 2.0.8 (which I *thought* was the most recent version) the other day.

My server has PHP V 5.3.27 and I get the error

Quotepreg_replace() has been disabled for security reasons in /home/(user name)/public_html/(url)/forums/Sources/Errors.php on line 114

I don't have any knowledge of how to enable this - any suggestions would be appreciated - thanks.

Kindred · August 17, 2014, 10:57:56 PM

Well, first of all... Posting in an old thread which is marked as solved is a good way to have your questions ignored/missed.

Second... You would have to talk to your host... But 2.0.8 has been corrected to work with php5.5. If you are still seeing errors, then there is a good chance that it is related to a mod which you installed that has not been updated the same way.

Kindred · August 17, 2014, 11:05:07 PM

Please stop double posting and posting in old threads.

Aside from being posted to a solved thread, Your issue has nothing at all to do with the issues in the thread you posted to.

If you are using php5,3, the. This is obviously something that your HOST has misconfigured and you will have to take it up with them.

Arantor · August 17, 2014, 11:05:57 PM

The only workaround is to find a non-ridiculous host.

This isn't a PHP compatibility issue, this is a host that believes 'preg_replace' is a security issue in itself and there are bound to be many more issues if you try to use them.

Timelord2067 · August 19, 2014, 11:05:44 AM

Quote from: ‽ on August 17, 2014, 11:05:57 PM
The only workaround is to find a non-ridiculous host.

This isn't a PHP compatibility issue, this is a host that believes 'preg_replace' is a security issue in itself and there are bound to be many more issues if you try to use them.

Hi and thank you for replying to my one post, I'll contact my Domain provider and see if they can unblock it. Unfortunately, I'm pretty well locked into using them for the time being (and they've always been quick to offer solutions, so hopefully they'll help sort something out.

Timelord2067 · August 27, 2014, 01:36:37 AM

Quote from: ‽ on August 17, 2014, 11:05:57 PM
The only workaround is to find a non-ridiculous host.

This isn't a PHP compatibility issue, this is a host that believes 'preg_replace' is a security issue in itself and there are bound to be many more issues if you try to use them.

Hi and thanks for your reply - I received the following when I asked about this issue:

Quote

We have removed the disabling of the /e modifier for Preg_replace for files in your site directory and your site should run as normal now. We originally disabled this modifier because it is a known security risk and felt it was the best way to protect the servers and our customers. The use of the /e modifier is highly discouraged at this time and we recommend that any instances of it in your code be replaced with preg_replace_callback functions as soon as possible. Aside from the fact that the modifer is deprecated as of PHP5.0 it is a security risk and opens vulnerabilities to your site and your account. We suggest you retain backups of your files as a precaution if you continue to use the /e modifier. To read more about this see hxxp:www.php.net/manual/en/reference.pcre.pattern.modifiers.php#reference.pcre.pattern.modifiers.eval [nonactive]

The forum that was previously installed now works (from what I can tell) correctly - no error messages when reading posts, however, I was attempting to install a forum on another domain that's also hosted with the same provider and the install.php page is blank - no 404 error no part loading, nothing.

So, it would seem if I can toggle this back and forth I can first install with preg_replace blocked, then run the site with it unblocked. (there's some ~300 instances of preg_replace in this package, so making the modifications suggested by hxxp:www.php.net/ [nonactive] seems impracticable)

In addition, both sites are getting wikis (mediawiki) , the first was already installed (preg_replace blocked) but gave out errors, while the second hadn't been installed and gives out errors on it's install page (with preg_replace unblocked).

Any suggestions that are helpful are appreciated.

Kindred · August 27, 2014, 06:20:34 AM

Quote from: ‽ on August 17, 2014, 11:05:57 PM
The only workaround is to find a non-ridiculous host.

This isn't a PHP compatibility issue, this is a host that believes 'preg_replace' is a security issue in itself and there are bound to be many more issues if you try to use them.

Timelord2067 · August 27, 2014, 07:31:47 AM

Quote from: Kindred on August 27, 2014, 06:20:34 AM
Quote from: ‽ on August 17, 2014, 11:05:57 PM
The only workaround is to find a non-ridiculous host.

This isn't a PHP compatibility issue, this is a host that believes 'preg_replace' is a security issue in itself and there are bound to be many more issues if you try to use them.

Please do not PM, IM or Email me with support questions. You will get better and faster responses in the support forums. Thank you.

I didn't - You chose to put my question in this spot.

Kindred · August 27, 2014, 09:17:23 AM

you quoted my signature... not my message to you. (see the line between the post and my signature?) (and the fact that when you quoted, you actually had to manually paste that line into the quote?)

my message to you was merely a re-quote of interrobang's initial statement.

really, your only solution is to get a better host.

Arantor · August 27, 2014, 11:50:30 AM

Yup, any host that blocks preg_replace as a 'security' measure clearly has no understanding of how widespread its use is (and why it is not recommended to disable it since it has so many legitimate uses) and should be avoided at all costs.

Timelord2067 · August 27, 2014, 10:07:09 PM

You don't seem too concerned that your product doesn't install at all when preg_replace is *not* blocked...

Quote from: Kindred on August 27, 2014, 09:17:23 AM
you quoted my signature... not my message to you. (see the line between the post and my signature?) (and the fact that when you quoted, you actually had to manually paste that line into the quote?)

my message to you was merely a re-quote of interrobang's initial statement.

really, your only solution is to get a better host.

And I suppose you're now going to say eNom, Inc / IANA ID: 48 would make a better host?

Timelord2067 · August 27, 2014, 10:12:08 PM

Quote from: ‽ on August 27, 2014, 11:50:30 AM
Yup, any host that blocks preg_replace as a 'security' measure clearly has no understanding of how widespread its use is (and why it is not recommended to disable it since it has so many legitimate uses) and should be avoided at all costs.

Well, my domain host is gracious enough to unblock it for my sites, so Kudos to them.

I think the work around to simple-machines failing to install at all with preg_replace not blocked or as my domain provider suggested replace ~ 300 instances of code with preg_replace_callback ) is to re-block preg_replace, install the forum, then again unblock preg_replace.

Convoluted I know, but it's the best suggestion I've had so far.

Thanks again.

Arantor · August 27, 2014, 10:16:05 PM

Before we move on, let me talk about preg_replace for a minute. I'm still not convinced that it's been properly disabled, and I have grave concerns about your hosts' credibility as a host when they think disabling preg_replace is a good idea.

Aside from being ex-SMF dev team with a decade of PHP experience, including Zend certification (Zend is the company that sort of *makes* PHP), I did a quick look around at other packages that I had lying around on my test site. Not all of these are up to date so the figures quoted are approximate.

Magento - over 200 instances
MyBB - approx 150 instances
WordPress - over 400 instances
XenForo - almost 300 instances

Now you might think SMF might be a lone wolf in using this function - but it's really not. Now if you want to proceed to tell me that *all* of the above happen to be doing something wrong... The reason I bring this up is because if your host are blocking *all* of the above (which they are with disabling preg_replace), it's highly likely there's something else gravely wrong with their service.

Considering that I personally have carried out *hundreds* of installations on about as many different server configurations, and *millions* of SMF installs have been carried out without the issues you raise, I would be far more inclined to distrust the host than I ever would to distrust SMF.

There are not 300 instances of preg_replace with /e in the code. It's *far* smaller than that. And I KNOW that for a fact because I'm one of the people who worked on it in 2.0.7 and 2.0.8 to phase it out in the first place. Their security procedure on the other hand isn't smart enough to differentiate the two and blocks it *everywhere*.

Timelord2067 · August 27, 2014, 10:49:02 PM

Quote from: ‽ on August 27, 2014, 10:16:05 PM
...

There are not 300 instances of preg_replace with /e in the code. It's *far* smaller than that. And I KNOW that for a fact because I'm one of the people who worked on it in 2.0.7 and 2.0.8 to phase it out in the first place. Their security procedure on the other hand isn't smart enough to differentiate the two and blocks it *everywhere*.

I stand corrected - there aren't ~ 300 instances of preg_replace /e

I'd say I was originally meaning there are ~ 300 instances of preg_replace of which I would have to find the ones with the /e switch and modify as suggested. (should I wish to go down that path.

Kindest Regards,

(newbie)

Arantor · August 27, 2014, 10:57:58 PM

We already DID that. That's what we did in 2.0.7 and made better in 2.0.8. All instances of /e have already been removed. Again, I am one of the people who actually went through this process already. I went through all the files to specifically deal with this and I'm responsible for some of the changes.

You will not be able to remove what is not there. Your host is unilaterally blocking preg_replace because they apparently don't know any better. The error you got is not because of /e but because a *system wide* lockdown on preg_replace.

You have two choices: persist with this host, which will give you hassle regardless of forum software since they all use preg_replace (without /e) or move to a new host like we have suggested repeatedly.

Kindred · August 28, 2014, 12:39:03 AM

Quote from: Timelord2067 on August 27, 2014, 10:07:09 PM
You don't seem too concerned that your product doesn't install at all when preg_replace is *not* blocked...

As already indicated... I think your host is fibbing about what is and is not blocked or activated.
Because this is the FIRST TIME I have heard anyone complain about this, in several million installations...

Quote
And I suppose you're now going to say eNom, Inc / IANA ID: 48 would make a better host?

huh? The only host I have ever recommended is my own host, ICDSoft.
However, we have a whole board dedicated to hosts who match our (moderately stringent) requirements for being accepted as "supported hosts".I don't care who you use... I am just saying exactly what Interrobang said - Your current host is terrible.

News:

Re: Log error full of -> 8192: preg_replace()