Make WordPress Core

Opened 11 years ago

Closed 10 years ago

#26772 closed enhancement (fixed)

Permalinks settings page is blank as access to phpinfo() is denied

Reported by: harmr's profile harmr Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 4.0 Priority: normal
Severity: normal Version:
Component: Permalinks Keywords: has-patch
Focuses: administration Cc:

Description

My hoster is very concerned about security and has disabled access to phpinfo() on his server. This leads to the problem that the permalinks page cannot be accessed - I only get a blank page respectively the error message: "Warning: phpinfo() has been disabled for security reasons in /wp-includes/functions.php on line 3092 )

Could the code

} elseif ( function_exists('phpinfo') ) {

somehow be changed to not only check if the function is available but also to check if it is accessible?

I am sure that this setting is related to a lot of support threads in the forum where user say that there permalink settings page is blank.

Attachments (1)

26772.patch (1.1 KB) - added by rohan013 10 years ago.
Searches for 'phpinfo' in disabled functions using strpos.

Download all attachments as: .zip

Change History (13)

#2 @dd32
11 years ago

Hmm.. I thought function_exists() was supposed to return false for functions listed in disable_functions..

In testing it, that seems correct:

$ php
   -d disable_functions=phpinfo
   -r 'error_reporting( E_ALL ); var_dump( function_exists("phpinfo"), is_callable("phpinfo"), phpversion() );'

bool(false)
bool(true)
string(6) "5.4.23"

it seems that the existing code is correct, but upon googling, it seems that others have had this issue where disable_functions & function_exists still returns true.

#3 @SergeyBiryukov
11 years ago

This thread appears to have a solution that checks ini_get( 'disable_functions' ):
http://wpquestions.com/question/showChrono/id/8127.

#4 @harmr
11 years ago

ha, great - thx Sergey! If I just knew what I already know :-) This question on wpquestion is from me and I already implemented this solution in my plugin available at mapsmarker.com - it works fine on my host. Perhaps this one can also be applied to the WP code

#5 @dd32
11 years ago

@harmr: Can you provide the PHP version/environment that you're having the issue on? your other thread was the only real example of it that I could see, it could be something wrong with your hosts PHP rather than being since that we need to fix..

#6 @harmr
11 years ago

I am using php 5.3 (latest). I will talk to my hoster to find out which solution he implemented to block access of phpinfo()

#7 @harmr
11 years ago

Just got an email from my hoster: he is following the security recommendations from the German BSI institute and is locking the access via suhosin and via disable_functions (so that error messages are suppressed - http://php.net/manual/de/language.operators.errorcontrol.php)

#8 @harmr
11 years ago

in order to apply this fix, the code would have to be changed from

} elseif ( function_exists('phpinfo') ) {
		ob_start();
		phpinfo(8);
		$phpinfo = ob_get_clean();
		if ( false !== strpos($phpinfo, $mod) )
			return true;
}

to

} elseif ( function_exists('phpinfo') ) {
	$disabled_functions = explode(',', ini_get('disable_functions'));
	foreach ($disabled as $disableFunction) {
		$is_disabled[] = trim($disableFunction);
	}
	if (!in_array('phpinfo',$is_disabled)) {
		ob_start();
		phpinfo(8);
		$phpinfo = ob_get_clean();
		if ( false !== strpos($phpinfo, $mod) )
			return true;
	}
}

#9 @nacin
11 years ago

  • Component changed from Administration to Permalinks
  • Focuses administration added

@rohan013
10 years ago

Searches for 'phpinfo' in disabled functions using strpos.

#10 @rohan013
10 years ago

  • Keywords has-patch added

#11 @SergeyBiryukov
10 years ago

  • Milestone changed from Awaiting Review to 4.0

#12 @SergeyBiryukov
10 years ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 29330:

Make sure phpinfo() is not disabled before calling it in apache_mod_loaded().

props rohan013, harmr.
fixes #26772.

Note: See TracTickets for help on using tickets.