Zend Framework

• Type: Improvement
• Status: Open
• Priority: Major
• Resolution: Unresolved
• Affects Version/s: 1.11.11
• Fix Version/s: None
• Component/s: Zend_Application, Zend_Feed, Zend_Gdata, Zend_Pdf, Zend_Search_Lucene, Zend_Soap_Server
• Labels:

  None

We use the suhosin patch to harden our servers against attacks, and ini_set ist one of our blacklisted methods.

The Zend Framework is using ini_set in several components, without to check if ini_set is really necessary.

It would be nice to have a check if a var already has the value that will be set:

$trackErrors = ini_get('track_errors');
ini_set('track_errors', '1');

$this->_fileHandle = @fopen($filename, $mode);

if ($this->_fileHandle === false) {
	ini_set('track_errors', $trackErrors);
	require_once 'Zend/Search/Lucene/Exception.php';
	throw new Zend_Search_Lucene_Exception($php_errormsg);
}

ini_set('track_errors', $trackErrors);

use the following:

if ( ( $trackErrors = ini_get('track_errors') ) != 1 ) {
	ini_set('track_errors', '1');
}
$this->_fileHandle = @fopen($filename, $mode);

if ($this->_fileHandle === false) {
	ini_set('track_errors', $trackErrors);
	require_once 'Zend/Search/Lucene/Exception.php';
	throw new Zend_Search_Lucene_Exception($php_errormsg);
}
if ( $trackErrors == 0 ) {
	ini_set('track_errors', $trackErrors);
}

We have the possibility to set track_errors to 1 in our apache.conf, and suhosin will never kill our application due to usage of ini_set.

• Assignee:

  Matthew Weier O'Phinney

  Reporter:

  Thorsten D.

• Created:

  02/Dec/11 2:36 PM

  Updated:

  02/Dec/11 2:47 PM