Permalinks settings page is blank as access to phpinfo() is denied

[harmr]

My hoster is very concerned about security and has disabled access to phpinfo() on his server. This leads to the problem that the permalinks page cannot be accessed - I only get a blank page respectively the error message: "Warning: phpinfo() has been disabled for security reasons in /wp-includes/functions.php on line 3092 )

Could the code

} elseif ( function_exists('phpinfo') ) {

somehow be changed to not only check if the function is available but also to check if it is accessible?

I am sure that this setting is related to a lot of support threads in the forum where user say that there permalink settings page is blank.

[SergeyBiryukov]

Related: [7508], ticket:11848:2.

[dd32]

Hmm.. I thought function_exists() was supposed to return false for functions listed in disable_functions..

In testing it, that seems correct:

$ php
   -d disable_functions=phpinfo
   -r 'error_reporting( E_ALL ); var_dump( function_exists("phpinfo"), is_callable("phpinfo"), phpversion() );'

bool(false)
bool(true)
string(6) "5.4.23"

it seems that the existing code is correct, but upon googling, it seems that others have had this issue where disable_functions & function_exists still returns true.

[SergeyBiryukov]

This thread appears to have a solution that checks ini_get( 'disable_functions' ):
​http://wpquestions.com/question/showChrono/id/8127.

[harmr]

ha, great - thx Sergey! If I just knew what I already know :-) This question on wpquestion is from me and I already implemented this solution in my plugin available at mapsmarker.com - it works fine on my host. Perhaps this one can also be applied to the WP code

[dd32]

@harmr: Can you provide the PHP version/environment that you're having the issue on? your other thread was the only real example of it that I could see, it could be something wrong with your hosts PHP rather than being since that we need to fix..

[harmr]

I am using php 5.3 (latest). I will talk to my hoster to find out which solution he implemented to block access of phpinfo()

[harmr]

Just got an email from my hoster: he is following the security recommendations from the German BSI institute and is locking the access via suhosin and via disable_functions (so that error messages are suppressed - ​http://php.net/manual/de/language.operators.errorcontrol.php)

[harmr]

in order to apply this fix, the code would have to be changed from

} elseif ( function_exists('phpinfo') ) {
		ob_start();
		phpinfo(8);
		$phpinfo = ob_get_clean();
		if ( false !== strpos($phpinfo, $mod) )
			return true;
}

to

} elseif ( function_exists('phpinfo') ) {
	$disabled_functions = explode(',', ini_get('disable_functions'));
	foreach ($disabled as $disableFunction) {
		$is_disabled[] = trim($disableFunction);
	}
	if (!in_array('phpinfo',$is_disabled)) {
		ob_start();
		phpinfo(8);
		$phpinfo = ob_get_clean();
		if ( false !== strpos($phpinfo, $mod) )
			return true;
	}
}

[rohan013]

Searches for 'phpinfo' in disabled functions using strpos.

[SergeyBiryukov]

In 29330:

Make sure phpinfo() is not disabled before calling it in apache_mod_loaded().

props rohan013, harmr.
fixes #26772.