WordPress.org

Make WordPress Core

Opened 7 weeks ago

Last modified 7 weeks ago

#42085 new defect (bug)

Still getting ini_get_all warning message

Reported by: scottcwilson Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Bootstrap/Load Keywords: needs-patch 2nd-opinion
Focuses: Cc:

Description (last modified by SergeyBiryukov)

For some PHP configurations, the check function_exists does not suffice.

Warning: ini_get_all() has been disabled for security reasons in /home/mysite/public_html/wp-includes/load.php on line 1027

Suggested fix in wp_is_ini_value_changeable()

  if ( ! isset( $ini_all ) ) {
    $ini_all = false;
    // Sometimes `ini_get_all()` is disabled via the `disable_functions` option for "security purposes".
    if ( function_exists( 'ini_get_all' ) ) {
      $disabled_functions_raw = explode( ',', ini_get( 'disable_functions' ) );
      $disabled_functions = array_map( 'trim', $disabled_functions_raw );
      if (!array_search( 'ini_get_all', $disabled_functions ) ) {
        $ini_all = ini_get_all();
      }
    }
  }

Change History (6)

#1 @SergeyBiryukov
7 weeks ago

  • Component changed from General to Bootstrap/Load
  • Description modified (diff)

Previously: #37680

#2 @SergeyBiryukov
7 weeks ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

Hi @scottcwilson, welcome to WordPress Trac! Thanks for the report.

We already check ini_get( 'disable_functions' ) for phpinfo() in [29330], makes sense to do the same here.

Last edited 7 weeks ago by SergeyBiryukov (previous) (diff)

#3 @johnbillion
7 weeks ago

  • Keywords 2nd-opinion added
  • Version 4.8.2 deleted

Under what condition does function_exists( 'ini_get_all' ) return true despite it being disable via disable_functions? Is it only when Suhosin is in use?

This is a lot of clunky code to introduce when a function_exists() check should be all that's required.

#4 @scottcwilson
7 weeks ago

John, I have an environment where this is occurring and would be happy to run any tests you wish that will help characterize this. Regarding Suhosin, yes, the server is running Suhosin 0.9.38.

#5 @johnbillion
7 weeks ago

From previous discussion on the topic, it looks like Suhosin is the common factor. I wonder if is_callable() works, either in addition to or instead of function_exists(), when a function is disabled via the disable_functions directive. That's less hacky than looking directly at the string value of disable_functions.

#6 @scottcwilson
7 weeks ago

Just checked - is_callable still succeeds even though the function is disabled.

Note: See TracTickets for help on using tickets.