Still getting ini_get_all warning message

[scottcwilson]

For some PHP configurations, the check function_exists does not suffice.

Warning: ini_get_all() has been disabled for security reasons in /home/mysite/public_html/wp-includes/load.php on line 1027

Suggested fix in wp_is_ini_value_changeable()

  if ( ! isset( $ini_all ) ) {
    $ini_all = false;
    // Sometimes `ini_get_all()` is disabled via the `disable_functions` option for "security purposes".
    if ( function_exists( 'ini_get_all' ) ) {
      $disabled_functions_raw = explode( ',', ini_get( 'disable_functions' ) );
      $disabled_functions = array_map( 'trim', $disabled_functions_raw );
      if (!array_search( 'ini_get_all', $disabled_functions ) ) {
        $ini_all = ini_get_all();
      }
    }
  }

[SergeyBiryukov]

Previously: #37680

[SergeyBiryukov]

Hi @scottcwilson, welcome to WordPress Trac! Thanks for the report.

We already check ini_get( 'disable_functions' ) for phpinfo() in [29330], makes sense to do the same here.

[johnbillion]

Under what condition does function_exists( 'ini_get_all' ) return true despite it being disable via disable_functions? Is it only when Suhosin is in use?

This is a lot of clunky code to introduce when a function_exists() check should be all that's required.

[scottcwilson]

John, I have an environment where this is occurring and would be happy to run any tests you wish that will help characterize this. Regarding Suhosin, yes, the server is running Suhosin 0.9.38.

[johnbillion]

From previous discussion on the topic, it looks like Suhosin is the common factor. I wonder if is_callable() works, either in addition to or instead of function_exists(), when a function is disabled via the disable_functions directive. That's less hacky than looking directly at the string value of disable_functions.

[scottcwilson]

Just checked - is_callable still succeeds even though the function is disabled.