A few hosting providers disable the PHP function parse_ini_file().
Any attempt to use it there, will fail with the error "parse_ini_file() has been disabled for security reasons".
This configuration is so common that Joomla, which is one of the most popular CMS, avoids the direct use of parse_ini_file() in favour of dividing the task in two steps:
My question is, how using parse_ini_file() could be considered a security threat, or how disable the PHP function parse_ini_file() could improve the security?
Could it be a hoax?
I mean, maybe someone, somewhere in the past, confused parse_ini_file() with ini_set(), and thought that parse_ini_file() can change the configuration of the PHP environment.
Bloggers could have advised here and there, and naive system administrators could have followed the advices without asking themselves any questions.
The security risk that that restrictions on parse_ini_file
attempt to guard against is reading from an arbitrary file, not in parsing its contents.
Reading from an arbitrary file can be considered a security threat if you're able to read files that you normally shouldn't access (e.g. the system's password file; or users belonging to another user). Even if the files aren't in an ini format, the results that are returned by parse_ini_file()
could still be potentially informative.
In PHP <= 5.3.x, parse_ini_file()
was restricted when safe mode was enabled. In PHP >= 5.4, safe mode was removed (in favor of requiring actual system-level security, rather than the language playing a losing game of whack-a-mole with more and more functionality that could read from arbitrary files in increasingly creative ways).
The recommendation to ban parse_ini_file()
is an old one, from when safe mode was still a thing. It's no more dangerous than any other PHP function that reads from a file. A hosting provider that's banning parse_ini_file()
now (especially after leaving file_get_contents()
open is misguided, operating from old advice that is no longer valid, and was of dubious benefit even when it was valid.
The code in the PHP sources for parse_ini_file()
essentially boils down to calling the same code as parse_ini_string
, just with a slightly different initialization pattern (so that the one can read from a file, and the other a string). Otherwise, they're using identical code for actually parsing the ini file and returning results.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With