Issues

ZF-11922: Call ini_set only if necessary

Issue Type: Improvement Created: 2011-12-02T14:36:35.000+0000 Last Updated: 2011-12-02T14:47:22.000+0000 Status: Open Fix version(s): Reporter: Thorsten D. (schnoop) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Application

  • Zend_Feed
  • Zend_Gdata
  • Zend_Pdf
  • Zend_Search_Lucene
  • Zend_Soap_Server

Related issues: Attachments:

Description

We use the suhosin patch to harden our servers against attacks, and ini_set ist one of our blacklisted methods.

The Zend Framework is using ini_set in several components, without to check if ini_set is really necessary.

It would be nice to have a check if a var already has the value that will be set:

<pre class="highlight">
$trackErrors = ini_get('track_errors');
ini_set('track_errors', '1');

$this->_fileHandle = @fopen($filename, $mode);

if ($this->_fileHandle === false) {
    ini_set('track_errors', $trackErrors);
    require_once 'Zend/Search/Lucene/Exception.php';
    throw new Zend_Search_Lucene_Exception($php_errormsg);
}

ini_set('track_errors', $trackErrors);

use the following:

<pre class="highlight">
if ( ( $trackErrors = ini_get('track_errors') ) != 1 ) {
    ini_set('track_errors', '1');
}
$this->_fileHandle = @fopen($filename, $mode);

if ($this->_fileHandle === false) {
    ini_set('track_errors', $trackErrors);
    require_once 'Zend/Search/Lucene/Exception.php';
    throw new Zend_Search_Lucene_Exception($php_errormsg);
}
if ( $trackErrors == 0 ) {
    ini_set('track_errors', $trackErrors);
}

We have the possibility to set track_errors to 1 in our apache.conf, and suhosin will never kill our application due to usage of ini_set.

Comments

Posted by Frank Br├╝ckner (frosch) on 2011-12-02T14:47:22.000+0000

Code tags added.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts