[wp-trac] [WordPress Trac] #37680: PHP Warning: ini_get_all() has been disabled for security reasons
WordPress Trac
noreply at wordpress.org
Tue Aug 30 08:03:25 UTC 2016
#37680: PHP Warning: ini_get_all() has been disabled for security reasons
------------------------------------------+-----------------------
Reporter: dd32 | Owner: dd32
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 4.6.1
Component: Bootstrap/Load | Version: 4.6
Severity: normal | Resolution:
Keywords: has-patch commit fixed-major | Focuses:
------------------------------------------+-----------------------
Comment (by dd32):
Replying to [comment:18 jeremyfelt]:
> Replying to [comment:17 jdgrimes]:
> > @dd32 `function_exists()` [https://secure.php.net/manual/en/function
.function-exists.php#refsect1-function.function-exists-notes doesn't
detect disabled functions]:
> >
> > >'''Note:'''
> > >A function name may exist even if the function itself is unusable due
to configuration or compiling options (with the image functions being an
example).
>
> `function_exists()` returns false for functions disabled through
`disable_function` in php.ini.
>
> Via the discussion on #26772, it seems like it's possible for a false
positive when using suhosin config to disable. We added an additional
check for `ini_get( 'disable_functions' )` in [29330], but I'm not sure
how that works with suhosin anyway, which uses the option
`suhosin.executor.func.blacklist`.
>
> It may be that we've done just fine with `function_exists()` on it's own
beyond that one bug report, but I may also not understand a piece.
Technically you're right, personally though, I don't want to perform silly
work arounds like that. I'm fine with a server which uses a hardening
extension to disable a safe function throwing warnings.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/37680#comment:19>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list