Closed (works as designed)
Project:
Advanced Help
Version:
6.x-1.2
Component:
Code
Priority:
Normal
Category:
Support request
Assigned:
Unassigned
Reporter:
Created:
19 Jul 2010 at 17:27 UTC
Updated:
2 Dec 2011 at 12:49 UTC
We have parse_ini in our php.ini disabled_functions list because it was listed on the NSA Hardening Guidelines for our OS as a potential security issue. Can you explain to us what this module uses parse_ini for? Is it really necessary? There are other modules that rely on this module that we want to use, but can't if it requires opening up known "bad" functions. ie, Panels > CTools > Advanced Help
Here's the error:
parse_ini_file() has been disabled for security reasons in /var/www/domain/webroot/sites/all/modules/advanced_help/advanced_help.module on line 667.
Comments
Comment #1
merlinofchaos commentedBecause $module.help.ini is a ini file and we need parse_ini_file() to parse it.
Comment #2
crimsondryad commentedYeah, I got that part. :P My question is does it really need to be an .ini file to begin with? Is there a benefit to making an .ini rather than a .inc or .php or .help? I understand that it's been that way for a long time. But looking around on the web, there seems to be a significant amount of debate over whether parse_ini_file is something that should be disabled. After all your hard work, wouldn't you want to share the love with as many Drupal sites as possible? Particularly if it was a fairly easy thing to do?
Comment #3
merlinofchaos commentedWell, given that it's been a .ini file for a long time and many modules are now using the format, it's not an easy change to make.
I did some research on the issue and I can't figure out *why* parse_ini_file() is on people's vulnerable lists. Every list I found simply lists it without explanation. After about 30 minutes of digging on various web pages, I gave up.
Comment #4
crimsondryad commentedI did more checking on it as well. There seems to be a lot of "this is bad" without telling you *why* it's bad. According to php.net, the function can't be used to read php's ini file, just web script ini's. So not much of a security issue there. I believe we had ours in the disabled_functions list because php by default contains a sample string and parse_ini_file is in there. It's probably a holdover from safe_mode ::cringe::
I think people are getting confused about ini_set, ini_alter, and .htaccess overrides. Those can be *very* bad if abused, but almost everyone has them on.
Thanks bunches...sorry for bugging you about it. I'm going to leave this post out in case someone else comes across the same issue.
Comment #5
frobIs there a reason that it doesn't use drupal's ini parsing function. That would let people with limited providers to use these modules and wouldn't change the user experience at all would it?
http://api.drupal.org/api/function/drupal_parse_info_file
Comment #6
merlinofchaos commentedYes, Drupal's ini parsing function handles sections differently. While more powerful, the syntax is less useful for this purpose.
Comment #7
frobJust came across this and thought I would through it out there.
Comment #8
AdrianB commentedSo, since this is "works as designed", has anyone solved/worked around the "parse_ini_file() has been disabled for security reasons in" errors?
Other than disabling this modules, of course. I have a site where they started to pop up recently (don't know why, probably the host did some changes to the server).