Make WordPress Core

Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#62047 closed defect (bug) (duplicate)

check if ini_set is available to prevent Fatal Errors

Reported by: maltfield's profile maltfield Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords: has-patch
Focuses: Cc:

Description (last modified by swissspidy)

There is a bug in wordpress that prevents users from logging-in if their PHP server was hardened following common best-practices

ini_set( 'display_errors', 1 );

This line causes a PHP Fatal error on hardened systems with the ini_set function disabled.

PHP Fatal error:  Uncaught Error: Call to undefined function ini_set() in /mnt/hetznerVol3/high_priority/www/html/wordpress/htdocs/wp-includes/load.php:600

Why this matters

For security reasons, orgs frequently configure php.ini to be hardened by adding many dangerous functions to the disable_functions variable in the php.ini file. For example, it's common to disable the 'exec' function

disable_functions = exec

Of course, if a php script could modify the php configuration, then it would defeat any hardening done by setting disable_functions. As such, it's common to add ini_set to the disable_functions

disable_functions = exec, ini_set

Solution

To fix the PHP Fatal error, wordpres should always check to see if the ini_set function exists before attempting to call it

if( function_exists( 'ini_set') ){
   ini_set( 'display_errors', 1 );
}

Change History (5)

#1 @maltfield
3 months ago

meta: how the heck can I edit the OP of this ticket to fix syntax, etc?

#2 @swissspidy
3 months ago

  • Description modified (diff)
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

This looks like a duplicate of #48693

#3 @maltfield
3 months ago

@swissspidy I'm not sure this is a duplicate. #48693 is a low-priority issue asking to cleanup log messages.

This ticket is similar, but it's a higher-priority asking to fix PHP Fatal Errors, which break whole websites.

#4 @swissspidy
3 months ago

It's literally about the same thing, in the same wp_debug_mode() function.

The only difference is that prior to PHP 8 this triggered warnings, but starting with PHP 8 this triggers a fatal error.

Let's continue the discussion there :-)

Note: See TracTickets for help on using tickets.