Make WordPress Core

Opened 7 years ago

Closed 2 months ago

#42085 closed defect (bug) (wontfix)

Still getting ini_get_all warning message

Reported by: scottcwilson's profile scottcwilson Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Bootstrap/Load Keywords: needs-patch 2nd-opinion close
Focuses: Cc:

Description (last modified by SergeyBiryukov)

For some PHP configurations, the check function_exists does not suffice.

Warning: ini_get_all() has been disabled for security reasons in /home/mysite/public_html/wp-includes/load.php on line 1027

Suggested fix in wp_is_ini_value_changeable()

  if ( ! isset( $ini_all ) ) {
    $ini_all = false;
    // Sometimes `ini_get_all()` is disabled via the `disable_functions` option for "security purposes".
    if ( function_exists( 'ini_get_all' ) ) {
      $disabled_functions_raw = explode( ',', ini_get( 'disable_functions' ) );
      $disabled_functions = array_map( 'trim', $disabled_functions_raw );
      if (!array_search( 'ini_get_all', $disabled_functions ) ) {
        $ini_all = ini_get_all();
      }
    }
  }

Change History (8)

#1 @SergeyBiryukov
7 years ago

  • Component changed from General to Bootstrap/Load
  • Description modified (diff)

Previously: #37680

#2 @SergeyBiryukov
7 years ago

  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release

Hi @scottcwilson, welcome to WordPress Trac! Thanks for the report.

We already check ini_get( 'disable_functions' ) for phpinfo() in [29330], makes sense to the same here.

Version 0, edited 7 years ago by SergeyBiryukov (next)

#3 @johnbillion
7 years ago

  • Keywords 2nd-opinion added
  • Version 4.8.2 deleted

Under what condition does function_exists( 'ini_get_all' ) return true despite it being disable via disable_functions? Is it only when Suhosin is in use?

This is a lot of clunky code to introduce when a function_exists() check should be all that's required.

#4 @scottcwilson
7 years ago

John, I have an environment where this is occurring and would be happy to run any tests you wish that will help characterize this. Regarding Suhosin, yes, the server is running Suhosin 0.9.38.

#5 @johnbillion
7 years ago

From previous discussion on the topic, it looks like Suhosin is the common factor. I wonder if is_callable() works, either in addition to or instead of function_exists(), when a function is disabled via the disable_functions directive. That's less hacky than looking directly at the string value of disable_functions.

#6 @scottcwilson
7 years ago

Just checked - is_callable still succeeds even though the function is disabled.

#7 @jorbin
4 months ago

  • Keywords close added

It's been seven years and there haven't been any additional reports of this issue either on trac or in the forums. That seems to indicate to me that perhaps this was an issue with the specific version of Suhosin. I think this might be something that can be closed as wontfix.

#8 @JeffPaul
2 months ago

  • Milestone Future Release deleted
  • Resolution set to wontfix
  • Status changed from new to closed

I concur, close.

Note: See TracTickets for help on using tickets.