[wp-trac] [WordPress Trac] #62047: check if ini_set is available to prevent Fatal Errors
WordPress Trac
noreply at wordpress.org
Fri Sep 13 14:37:36 UTC 2024
#62047: check if ini_set is available to prevent Fatal Errors
--------------------------+-----------------------------
Reporter: maltfield | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
There is a bug in wordpress that prevents users from logging-in if their
PHP server was hardened following common best-practices
```
ini_set( 'display_errors', 1 );
```
This line causes a PHP Fatal error on hardened systems with the `ini_set`
function disabled.
```
PHP Fatal error: Uncaught Error: Call to undefined function ini_set() in
/mnt/hetznerVol3/high_priority/www/html/wordpress/htdocs/wp-
includes/load.php:600
```
# Why this matters
For security reasons, orgs frequently configure `php.ini` to be hardened
by adding many dangerous functions to the `disable_functions` variable in
the `php.ini` file. For example, it's common to disable the 'exec'
function
```
disable_functions = exec
```
Of course, if a php script could modify the php configuration, then it
would defeat any hardening done by setting `disable_functions`. As such,
it's common to add `ini_set` to the `disable_functions`
```
disable_functions = exec, ini_set
```
# Solution
To fix the PHP Fatal error, wordpres should always check to see if the
`ini_set` function exists before attempting to call it
```
if( function_exists( 'ini_set') ){
ini_set( 'display_errors', 1 );
}
```
--
Ticket URL: <https://core.trac.wordpress.org/ticket/62047>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list