[wp-trac] [WordPress Trac] #37680: PHP Warning: ini_get_all() has been disabled for security reasons
WordPress Trac
noreply at wordpress.org
Wed Aug 17 02:38:28 UTC 2016
#37680: PHP Warning: ini_get_all() has been disabled for security reasons
----------------------------+-----------------------
Reporter: dd32 | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 4.6.1
Component: Bootstrap/Load | Version: 4.6
Severity: normal | Keywords: has-patch
Focuses: |
----------------------------+-----------------------
As reported in the Support Forums, WordPress 4.6 calls `ini_get_all()`
which may be disabled on some hosts (possibly due to an old PHP 5.3.x
security vulnerability).
https://wordpress.org/support/topic/warning-ini_get_all-has-been-disabled-
for-security-reasons
This can be duplicated by adding `disable_functions = ini_get_all` to your
`php.ini` file.
Looking at our usage of the `ini_*` functions in core, we:
- sometimes silence warnings from `ini_set()` - usually early in the
bootstrap, so I'm assuming from before `wp_debug_mode()` is called.
- never silence `ini_get()` calls.
The current breakage on the affected hosts would be:
- A PHP Warning will be displayed on sites post-upgrade to 4.6.
- `wp_raise_memory_limit()` will fail to increase the memory limit, which
may result in some admin pages not loading, or image uploads failing to
create resized images.
We should fix this to at least not present with a PHP Warning, although I
recognise that almost any function could be in the `disable_plugin`
setting, some (such as `phpinfo()` and `ini_*`) are historically much more
likely to be there.
See #32075 for introduction.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37680>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list