Opened 11 years ago
Closed 10 years ago
#26772 closed enhancement (fixed)
Permalinks settings page is blank as access to phpinfo() is denied
Reported by: | harmr | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 4.0 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Permalinks | Keywords: | has-patch |
Focuses: | administration | Cc: |
Description
My hoster is very concerned about security and has disabled access to phpinfo() on his server. This leads to the problem that the permalinks page cannot be accessed - I only get a blank page respectively the error message: "Warning: phpinfo() has been disabled for security reasons in /wp-includes/functions.php on line 3092 )
Could the code
} elseif ( function_exists('phpinfo') ) {
somehow be changed to not only check if the function is available but also to check if it is accessible?
I am sure that this setting is related to a lot of support threads in the forum where user say that there permalink settings page is blank.
Attachments (1)
Change History (13)
#2
@
11 years ago
Hmm.. I thought function_exists() was supposed to return false for functions listed in disable_functions..
In testing it, that seems correct:
$ php -d disable_functions=phpinfo -r 'error_reporting( E_ALL ); var_dump( function_exists("phpinfo"), is_callable("phpinfo"), phpversion() );' bool(false) bool(true) string(6) "5.4.23"
it seems that the existing code is correct, but upon googling, it seems that others have had this issue where disable_functions & function_exists still returns true.
#3
@
11 years ago
This thread appears to have a solution that checks ini_get( 'disable_functions' )
:
http://wpquestions.com/question/showChrono/id/8127.
#4
@
11 years ago
ha, great - thx Sergey! If I just knew what I already know :-) This question on wpquestion is from me and I already implemented this solution in my plugin available at mapsmarker.com - it works fine on my host. Perhaps this one can also be applied to the WP code
#5
@
11 years ago
@harmr: Can you provide the PHP version/environment that you're having the issue on? your other thread was the only real example of it that I could see, it could be something wrong with your hosts PHP rather than being since that we need to fix..
#6
@
11 years ago
I am using php 5.3 (latest). I will talk to my hoster to find out which solution he implemented to block access of phpinfo()
#7
@
11 years ago
Just got an email from my hoster: he is following the security recommendations from the German BSI institute and is locking the access via suhosin and via disable_functions (so that error messages are suppressed - http://php.net/manual/de/language.operators.errorcontrol.php)
#8
@
11 years ago
in order to apply this fix, the code would have to be changed from
} elseif ( function_exists('phpinfo') ) { ob_start(); phpinfo(8); $phpinfo = ob_get_clean(); if ( false !== strpos($phpinfo, $mod) ) return true; }
to
} elseif ( function_exists('phpinfo') ) { $disabled_functions = explode(',', ini_get('disable_functions')); foreach ($disabled as $disableFunction) { $is_disabled[] = trim($disableFunction); } if (!in_array('phpinfo',$is_disabled)) { ob_start(); phpinfo(8); $phpinfo = ob_get_clean(); if ( false !== strpos($phpinfo, $mod) ) return true; } }
Related: [7508], ticket:11848:2.