Open maltfield opened 6 days ago
Note that, while this has always triggered error messages, it's only since PHP 8 that this now triggers a Fatal Error.
Of course, if a php script could modify the php configuration, then it would defeat any hardening done by setting disable_functions
disable_functions
cannot be changed by ini_set()
I think the point of @maltfield is that disable_functions
is set outside of phpList somewhere.
Counter point would be to not disable ini_set
for phpList for hardening, as it would defeat the hardening that phpList
makes using it
There is a bug in phpList that causes Fatal Errors on PHP servers that have been hardened following common best-practices
This line causes a PHP Fatal error on hardened systems with the
ini_set
function disabled.Why this matters
For security reasons, orgs frequently configure
php.ini
to be hardened by adding many dangerous functions to thedisable_functions
variable in thephp.ini
file. For example, it's common to disable theexec
functionOf course, if a php script could modify the php configuration, then it would defeat any hardening done by setting
disable_functions
. As such, it's common to addini_set
to thedisable_functions
Solution
To fix the PHP Fatal error, phpList should always check to see if the
ini_set
function exists before attempting to call it