Opened 6 years ago
Last modified 6 years ago
#42085 new defect (bug)
Still getting ini_get_all warning message
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Bootstrap/Load | Keywords: | needs-patch 2nd-opinion |
Focuses: | Cc: |
Description (last modified by )
For some PHP configurations, the check function_exists does not suffice.
Warning: ini_get_all() has been disabled for security reasons in /home/mysite/public_html/wp-includes/load.php on line 1027
Suggested fix in wp_is_ini_value_changeable()
if ( ! isset( $ini_all ) ) { $ini_all = false; // Sometimes `ini_get_all()` is disabled via the `disable_functions` option for "security purposes". if ( function_exists( 'ini_get_all' ) ) { $disabled_functions_raw = explode( ',', ini_get( 'disable_functions' ) ); $disabled_functions = array_map( 'trim', $disabled_functions_raw ); if (!array_search( 'ini_get_all', $disabled_functions ) ) { $ini_all = ini_get_all(); } } }
Change History (6)
#2
@
6 years ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
Hi @scottcwilson, welcome to WordPress Trac! Thanks for the report.
We already check ini_get( 'disable_functions' )
for phpinfo()
in [29330], makes sense to do the same here.
#3
@
6 years ago
- Keywords 2nd-opinion added
- Version 4.8.2 deleted
Under what condition does function_exists( 'ini_get_all' )
return true despite it being disable via disable_functions
? Is it only when Suhosin is in use?
This is a lot of clunky code to introduce when a function_exists()
check should be all that's required.
#4
@
6 years ago
John, I have an environment where this is occurring and would be happy to run any tests you wish that will help characterize this. Regarding Suhosin, yes, the server is running Suhosin 0.9.38.
#5
@
6 years ago
From previous discussion on the topic, it looks like Suhosin is the common factor. I wonder if is_callable()
works, either in addition to or instead of function_exists()
, when a function is disabled via the disable_functions
directive. That's less hacky than looking directly at the string value of disable_functions
.
Previously: #37680