[wp-trac] [WordPress Trac] #37680: PHP Warning: ini_get_all() has been disabled for security reasons

WordPress Trac noreply at wordpress.org
Wed Aug 17 02:47:21 UTC 2016


#37680: PHP Warning: ini_get_all() has been disabled for security reasons
----------------------------+--------------------
 Reporter:  dd32            |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  normal          |   Milestone:  4.6.1
Component:  Bootstrap/Load  |     Version:  4.6
 Severity:  normal          |  Resolution:
 Keywords:  has-patch       |     Focuses:
----------------------------+--------------------

Old description:

> As reported in the Support Forums, WordPress 4.6 calls `ini_get_all()`
> which may be disabled on some hosts (possibly due to an old PHP 5.3.x
> security vulnerability).
>
> https://wordpress.org/support/topic/warning-ini_get_all-has-been-
> disabled-for-security-reasons
>
> This can be duplicated by adding `disable_functions = ini_get_all` to
> your `php.ini` file.
>
> Looking at our usage of the `ini_*` functions in core, we:
>  - sometimes silence warnings from `ini_set()` - usually early in the
> bootstrap, so I'm assuming from before `wp_debug_mode()` is called.
>  - never silence `ini_get()` calls.
>
> The current breakage on the affected hosts would be:
>  - A PHP Warning will be displayed on sites post-upgrade to 4.6.
>  - `wp_raise_memory_limit()` will fail to increase the memory limit,
> which may result in some admin pages not loading, or image uploads
> failing to create resized images.
>
> We should fix this to at least not present with a PHP Warning, although I
> recognise that almost any function could be in the `disable_plugin`
> setting, some (such as `phpinfo()` and `ini_*`) are historically much
> more likely to be there.
>
> See #32075 for introduction.

New description:

 As reported in the Support Forums, WordPress 4.6 calls `ini_get_all()`
 which may be disabled on some hosts (possibly due to an old PHP 5.3.x
 security vulnerability).

 https://wordpress.org/support/topic/warning-ini_get_all-has-been-disabled-
 for-security-reasons

 This can be duplicated by adding `disable_functions = ini_get_all` to your
 `php.ini` file.

 Looking at our usage of the `ini_*` functions in core, we:
  - sometimes silence warnings from `ini_set()` - usually early in the
 bootstrap, so I'm assuming from before `wp_debug_mode()` is called.
  - never silence `ini_get()` calls.

 The current breakage on the affected hosts would be:
  - A PHP Warning will be displayed on sites post-upgrade to 4.6.
  - `wp_raise_memory_limit()` will fail to increase the memory limit, which
 may result in some admin pages not loading, or image uploads failing to
 create resized images.
  - WSOD - Single-site installs will not increase their memory limit to
 40M, multisite will fail to increase to 64M, both of these could cause
 WSOD if the memory limit was set arbitrarily low and the site was running
 plugins which use a lot of memory.

 We should fix this to at least not present with a PHP Warning, although I
 recognise that almost any function could be in the `disable_plugin`
 setting, some (such as `phpinfo()` and `ini_*`) are historically much more
 likely to be there.

 See #32075 for introduction.

--

Comment (by dd32):

 I primarily see two main options:
  - Silence the PHP Warning [attachment:37680.diff]
  - Check the `disable_functions` list (as we do elsewhere for `phpinfo()`)
 [attachment:37680.2.diff]

 That then leaves the question of what to do when disabled, Do we return
 true anyway as a "We can't determine if it's changeable, so we're just
 assuming it probably is."? or do we just continue to return false as 4.6
 currently does?

 I've taken the angle that we should return true in the event we can't be
 sure, this may result in PHP warnings being emitted from `ini_set()`,
 however we already silence warnings on the `ini_set()`'s at least for the
 memory_limit (which is the only thing this function is used for
 currently). It's the `is_array()` block at the end of the function in both
 patches that's responsible for this behaviour.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37680#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list