This line causes a PHP Fatal error on hardened systems with the ini_set function disabled.
PHP Fatal error: Uncaught Error: Call to undefined function ini_set() in /usr/share/php/PEAR.php:52\n...
Why this matters
For security reasons, orgs frequently configure php.ini to be hardened by adding many dangerous functions to the disable_functions variable in the php.ini file. For example, it's common to disable the 'exec' function
disable_functions = exec
Of course, if a php script could modify the php configuration, then it would defeat any hardening done by setting disable_functions. As such, it's common to add ini_set to the disable_functions
disable_functions = exec, ini_set
Solution
To fix the PHP Fatal error, PEAR should always check to see if the ini_set function exists before attempting to call it
This error was discovered on a server running the latest version of all software on the latest version of Debian, at the time of writing.
root@host:~# cat /etc/issue
Debian GNU/Linux 12 \n \l
root@host:~#
root@host:~# dpkg -l | grep -iE 'php-common|php-pear'
ii php-common 2:93 all Common files for PHP packages
ii php-pear 1:1.10.13+submodules+notgz+2022032202-2 all PEAR Base System
root@host:~#
Problem
There is a bug in PEAR.php at the following line:
This line causes a PHP Fatal error on hardened systems with the
ini_setfunction disabled.Why this matters
For security reasons, orgs frequently configure php.ini to be hardened by adding many dangerous functions to the
disable_functionsvariable in the php.ini file. For example, it's common to disable the 'exec' functionOf course, if a php script could modify the php configuration, then it would defeat any hardening done by setting
disable_functions. As such, it's common to addini_setto thedisable_functionsSolution
To fix the PHP Fatal error, PEAR should always check to see if the
ini_setfunction exists before attempting to call itContext
This error was discovered on a server running the latest version of all software on the latest version of Debian, at the time of writing.