Is the PHP function parse_ini_file() really so dangerous?

Question

A few hosting providers disable the PHP function parse_ini_file().
Any attempt to use it there, will fail with the error "parse_ini_file() has been disabled for security reasons".
This configuration is so common that Joomla, which is one of the most popular CMS, avoids the direct use of parse_ini_file() in favour of dividing the task in two steps:

1. Reading the file content with file_get_contents()
2. Parsing the values with parse_ini_string(), which is strangely allowed, hence it's not considered a security risk (WTF?)

My question is, how using parse_ini_file() could be considered a security threat, or how disable the PHP function parse_ini_file() could improve the security?

Could it be a hoax?
I mean, maybe someone, somewhere in the past, confused parse_ini_file() with ini_set(), and thought that parse_ini_file() can change the configuration of the PHP environment.
Bloggers could have advised here and there, and naive system administrators could have followed the advices without asking themselves any questions.

Answer 1

The security risk that that restrictions on parse_ini_file attempt to guard against is reading from an arbitrary file, not in parsing its contents.

Reading from an arbitrary file can be considered a security threat if you're able to read files that you normally shouldn't access (e.g. the system's password file; or users belonging to another user). Even if the files aren't in an ini format, the results that are returned by parse_ini_file() could still be potentially informative.

In PHP <= 5.3.x, parse_ini_file() was restricted when safe mode was enabled. In PHP >= 5.4, safe mode was removed (in favor of requiring actual system-level security, rather than the language playing a losing game of whack-a-mole with more and more functionality that could read from arbitrary files in increasingly creative ways).

The recommendation to ban parse_ini_file() is an old one, from when safe mode was still a thing. It's no more dangerous than any other PHP function that reads from a file. A hosting provider that's banning parse_ini_file() now (especially after leaving file_get_contents() open is misguided, operating from old advice that is no longer valid, and was of dubious benefit even when it was valid.

The code in the PHP sources for parse_ini_file() essentially boils down to calling the same code as parse_ini_string, just with a slightly different initialization pattern (so that the one can read from a file, and the other a string). Otherwise, they're using identical code for actually parsing the ini file and returning results.