[wp-trac] [WordPress Trac] #62047: check if ini_set is available to prevent Fatal Errors

Fri Sep 13 15:32:31 UTC 2024

#62047: check if ini_set is available to prevent Fatal Errors
--------------------------+------------------------
 Reporter:  maltfield     |       Owner:  (none)
     Type:  defect (bug)  |      Status:  closed
 Priority:  normal        |   Milestone:
Component:  General       |     Version:
 Severity:  normal        |  Resolution:  duplicate
 Keywords:                |     Focuses:
--------------------------+------------------------
Changes (by swissspidy):

 * status:  new => closed
 * resolution:   => duplicate
 * milestone:  Awaiting Review =>

Old description:

> There is a bug in wordpress that prevents users from logging-in if their
> PHP server was hardened following common best-practices
>
> ```
> ini_set( 'display_errors', 1 );
>
> ```
>
> This line causes a PHP Fatal error on hardened systems with the `ini_set`
> function disabled.
>
> ```
> PHP Fatal error:  Uncaught Error: Call to undefined function ini_set() in
> /mnt/hetznerVol3/high_priority/www/html/wordpress/htdocs/wp-
> includes/load.php:600
> ```
>
> # Why this matters
>
> For security reasons, orgs frequently configure `php.ini` to be hardened
> by adding many dangerous functions to the `disable_functions` variable in
> the `php.ini` file. For example, it's common to disable the 'exec'
> function
>
> ```
> disable_functions = exec
> ```
>
> Of course, if a php script could modify the php configuration, then it
> would defeat any hardening done by setting `disable_functions`. As such,
> it's common to add `ini_set` to the `disable_functions`
>
> ```
> disable_functions = exec, ini_set
> ```
>
> # Solution
>
> To fix the PHP Fatal error, wordpres should always check to see if the
> `ini_set` function exists before attempting to call it
>
> ```
> if( function_exists( 'ini_set') ){
>    ini_set( 'display_errors', 1 );
> }
> ```

New description:

 There is a bug in wordpress that prevents users from logging-in if their
 PHP server was hardened following common best-practices

 {{{
 ini_set( 'display_errors', 1 );
 }}}

 This line causes a PHP Fatal error on hardened systems with the `ini_set`
 function disabled.

 {{{
 PHP Fatal error:  Uncaught Error: Call to undefined function ini_set() in
 /mnt/hetznerVol3/high_priority/www/html/wordpress/htdocs/wp-
 includes/load.php:600
 }}}

 **Why this matters**

 For security reasons, orgs frequently configure `php.ini` to be hardened
 by adding many dangerous functions to the `disable_functions` variable in
 the `php.ini` file. For example, it's common to disable the 'exec'
 function

 {{{
 disable_functions = exec
 }}}

 Of course, if a php script could modify the php configuration, then it
 would defeat any hardening done by setting `disable_functions`. As such,
 it's common to add `ini_set` to the `disable_functions`

 {{{
 disable_functions = exec, ini_set
 }}}

 **Solution**

 To fix the PHP Fatal error, wordpres should always check to see if the
 `ini_set` function exists before attempting to call it

 {{{
 if( function_exists( 'ini_set') ){
    ini_set( 'display_errors', 1 );
 }
 }}}

--

Comment:

 This looks like a duplicate of #48693

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/62047#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform