From 96032535c6cb088e9b3bc82137c48c54476b96a6 Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Fri, 13 Sep 2024 14:25:48 -0500 Subject: [PATCH 01/13] fix Fatal Errors: don't assume set_ini() exists * https://core.trac.wordpress.org/ticket/62047 * https://core.trac.wordpress.org/ticket/48693 --- src/wp-admin/plugins.php | 4 +++- src/wp-admin/update.php | 4 +++- src/wp-includes/PHPMailer/PHPMailer.php | 8 ++++++-- src/wp-includes/default-constants.php | 4 +++- src/wp-includes/functions.php | 4 ++-- src/wp-includes/load.php | 18 +++++++++++++----- src/wp-includes/pomo/po.php | 4 +++- 7 files changed, 33 insertions(+), 13 deletions(-) diff --git a/src/wp-admin/plugins.php b/src/wp-admin/plugins.php index 199fbedaa37e8..03443d08ff473 100644 --- a/src/wp-admin/plugins.php +++ b/src/wp-admin/plugins.php @@ -189,7 +189,9 @@ error_reporting( E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_ERROR | E_WARNING | E_PARSE | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR ); } - ini_set( 'display_errors', true ); // Ensure that fatal errors are displayed. + if ( function_exists('ini_set') ) { + ini_set( 'display_errors', true ); // Ensure that fatal errors are displayed. + } // Go back to "sandbox" scope so we get the same errors as before. plugin_sandbox_scrape( $plugin ); /** This action is documented in wp-admin/includes/plugin.php */ diff --git a/src/wp-admin/update.php b/src/wp-admin/update.php index 090c37cfc4dfe..b8c7fa714e2c8 100644 --- a/src/wp-admin/update.php +++ b/src/wp-admin/update.php @@ -96,7 +96,9 @@ echo '

' . __( 'Plugin failed to reactivate due to a fatal error.' ) . '

'; error_reporting( E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_ERROR | E_WARNING | E_PARSE | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR ); - ini_set( 'display_errors', true ); // Ensure that fatal errors are displayed. + if ( function_exists('ini_set') ) { + ini_set( 'display_errors', true ); // Ensure that fatal errors are displayed. + } wp_register_plugin_realpath( WP_PLUGIN_DIR . '/' . $plugin ); include WP_PLUGIN_DIR . '/' . $plugin; } diff --git a/src/wp-includes/PHPMailer/PHPMailer.php b/src/wp-includes/PHPMailer/PHPMailer.php index cf8657234c657..2a16eadd6a5a3 100644 --- a/src/wp-includes/PHPMailer/PHPMailer.php +++ b/src/wp-includes/PHPMailer/PHPMailer.php @@ -1950,7 +1950,9 @@ protected function mailSend($header, $body) $params = sprintf('-f%s', $this->Sender); } $old_from = ini_get('sendmail_from'); - ini_set('sendmail_from', $this->Sender); + if ( function_exists('ini_set') ) { + ini_set('sendmail_from', $this->Sender); + } } $result = false; if ($this->SingleTo && count($toArr) > 1) { @@ -1973,7 +1975,9 @@ protected function mailSend($header, $body) $this->doCallback($result, $this->to, $this->cc, $this->bcc, $this->Subject, $body, $this->From, []); } if (isset($old_from)) { - ini_set('sendmail_from', $old_from); + if ( function_exists('ini_set') ) { + ini_set('sendmail_from', $old_from); + } } if (!$result) { throw new Exception($this->lang('instantiate'), self::STOP_CRITICAL); diff --git a/src/wp-includes/default-constants.php b/src/wp-includes/default-constants.php index 71a21269dc698..8f33e3ca80c74 100644 --- a/src/wp-includes/default-constants.php +++ b/src/wp-includes/default-constants.php @@ -68,7 +68,9 @@ function wp_initial_constants() { // Set memory limits. $wp_limit_int = wp_convert_hr_to_bytes( WP_MEMORY_LIMIT ); if ( -1 !== $current_limit_int && ( -1 === $wp_limit_int || $wp_limit_int > $current_limit_int ) ) { - ini_set( 'memory_limit', WP_MEMORY_LIMIT ); + if ( function_exists('ini_set') ) { + ini_set( 'memory_limit', WP_MEMORY_LIMIT ); + } } if ( ! isset( $blog_id ) ) { diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index 0619f44f30d4e..379556d5bdb0b 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -7862,13 +7862,13 @@ function wp_raise_memory_limit( $context = 'admin' ) { $filtered_limit_int = wp_convert_hr_to_bytes( $filtered_limit ); if ( -1 === $filtered_limit_int || ( $filtered_limit_int > $wp_max_limit_int && $filtered_limit_int > $current_limit_int ) ) { - if ( false !== ini_set( 'memory_limit', $filtered_limit ) ) { + if ( function_exists('ini_set') && false !== ini_set( 'memory_limit', $filtered_limit ) ) { return $filtered_limit; } else { return false; } } elseif ( -1 === $wp_max_limit_int || $wp_max_limit_int > $current_limit_int ) { - if ( false !== ini_set( 'memory_limit', $wp_max_limit ) ) { + if ( function_exists('ini_set') && false !== ini_set( 'memory_limit', $wp_max_limit ) ) { return $wp_max_limit; } else { return false; diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php index b0b8209235c3e..8670e366a8a0f 100644 --- a/src/wp-includes/load.php +++ b/src/wp-includes/load.php @@ -585,9 +585,13 @@ function wp_debug_mode() { error_reporting( E_ALL ); if ( WP_DEBUG_DISPLAY ) { - ini_set( 'display_errors', 1 ); + if ( function_exists('ini_set') ) { + ini_set( 'display_errors', 1 ); + } } elseif ( null !== WP_DEBUG_DISPLAY ) { - ini_set( 'display_errors', 0 ); + if ( function_exists('ini_set') ) { + ini_set( 'display_errors', 0 ); + } } if ( in_array( strtolower( (string) WP_DEBUG_LOG ), array( 'true', '1' ), true ) ) { @@ -599,8 +603,10 @@ function wp_debug_mode() { } if ( $log_path ) { - ini_set( 'log_errors', 1 ); - ini_set( 'error_log', $log_path ); + if ( function_exists('ini_set') ) { + ini_set( 'log_errors', 1 ); + ini_set( 'error_log', $log_path ); + } } } else { error_reporting( E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_ERROR | E_WARNING | E_PARSE | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR ); @@ -614,7 +620,9 @@ function wp_debug_mode() { || ( defined( 'WP_INSTALLING' ) && WP_INSTALLING ) || wp_doing_ajax() || wp_is_json_request() ) { - ini_set( 'display_errors', 0 ); + if ( function_exists('ini_set') ) { + ini_set( 'display_errors', 0 ); + } } } diff --git a/src/wp-includes/pomo/po.php b/src/wp-includes/pomo/po.php index a4e3cab4ef17a..baac15cfe8dfb 100644 --- a/src/wp-includes/pomo/po.php +++ b/src/wp-includes/pomo/po.php @@ -21,7 +21,9 @@ * which still use the old MacOS standalone `\r` as a line ending. * This fix should be revisited when PHP 9.0 is in alpha/beta. */ -@ini_set( 'auto_detect_line_endings', 1 ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged +if ( function_exists('ini_set') ) { + @ini_set( 'auto_detect_line_endings', 1 ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged +} /** * Routines for working with PO files From 3737c623ff54ea8c686a0fd53e3cf7b4a596c97e Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:08:11 -0500 Subject: [PATCH 02/13] Update src/wp-admin/plugins.php Co-authored-by: Ari Stathopoulos --- src/wp-admin/plugins.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/plugins.php b/src/wp-admin/plugins.php index 03443d08ff473..9df3ea445c899 100644 --- a/src/wp-admin/plugins.php +++ b/src/wp-admin/plugins.php @@ -189,7 +189,7 @@ error_reporting( E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_ERROR | E_WARNING | E_PARSE | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR ); } - if ( function_exists('ini_set') ) { + if ( function_exists( 'ini_set' ) ) { ini_set( 'display_errors', true ); // Ensure that fatal errors are displayed. } // Go back to "sandbox" scope so we get the same errors as before. From d45a310fba0af1eb63f872a116251b0fb3b6ed99 Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:08:24 -0500 Subject: [PATCH 03/13] Update src/wp-admin/update.php Co-authored-by: Ari Stathopoulos --- src/wp-admin/update.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-admin/update.php b/src/wp-admin/update.php index b8c7fa714e2c8..541947158b8f6 100644 --- a/src/wp-admin/update.php +++ b/src/wp-admin/update.php @@ -96,7 +96,7 @@ echo '

' . __( 'Plugin failed to reactivate due to a fatal error.' ) . '

'; error_reporting( E_CORE_ERROR | E_CORE_WARNING | E_COMPILE_ERROR | E_ERROR | E_WARNING | E_PARSE | E_USER_ERROR | E_USER_WARNING | E_RECOVERABLE_ERROR ); - if ( function_exists('ini_set') ) { + if ( function_exists( 'ini_set' ) ) { ini_set( 'display_errors', true ); // Ensure that fatal errors are displayed. } wp_register_plugin_realpath( WP_PLUGIN_DIR . '/' . $plugin ); From 9173f7d118c48313095da8437f5fa0d789275cf4 Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:08:33 -0500 Subject: [PATCH 04/13] Update src/wp-includes/default-constants.php Co-authored-by: Ari Stathopoulos --- src/wp-includes/default-constants.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/default-constants.php b/src/wp-includes/default-constants.php index 8f33e3ca80c74..db441ee003564 100644 --- a/src/wp-includes/default-constants.php +++ b/src/wp-includes/default-constants.php @@ -68,7 +68,7 @@ function wp_initial_constants() { // Set memory limits. $wp_limit_int = wp_convert_hr_to_bytes( WP_MEMORY_LIMIT ); if ( -1 !== $current_limit_int && ( -1 === $wp_limit_int || $wp_limit_int > $current_limit_int ) ) { - if ( function_exists('ini_set') ) { + if ( function_exists( 'ini_set' ) ) { ini_set( 'memory_limit', WP_MEMORY_LIMIT ); } } From 0461175b387366bfef4e87f202bae8156db5938b Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:08:43 -0500 Subject: [PATCH 05/13] Update src/wp-includes/load.php Co-authored-by: Ari Stathopoulos --- src/wp-includes/load.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php index 8670e366a8a0f..4b03ec91ff719 100644 --- a/src/wp-includes/load.php +++ b/src/wp-includes/load.php @@ -589,7 +589,7 @@ function wp_debug_mode() { ini_set( 'display_errors', 1 ); } } elseif ( null !== WP_DEBUG_DISPLAY ) { - if ( function_exists('ini_set') ) { + if ( function_exists( 'ini_set' ) ) { ini_set( 'display_errors', 0 ); } } From faa1318a650153904652a35a972d2fbc3601de3c Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:08:52 -0500 Subject: [PATCH 06/13] Update src/wp-includes/functions.php Co-authored-by: Ari Stathopoulos --- src/wp-includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index 379556d5bdb0b..fd3909de35956 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -7862,7 +7862,7 @@ function wp_raise_memory_limit( $context = 'admin' ) { $filtered_limit_int = wp_convert_hr_to_bytes( $filtered_limit ); if ( -1 === $filtered_limit_int || ( $filtered_limit_int > $wp_max_limit_int && $filtered_limit_int > $current_limit_int ) ) { - if ( function_exists('ini_set') && false !== ini_set( 'memory_limit', $filtered_limit ) ) { + if ( function_exists( 'ini_set' ) && false !== ini_set( 'memory_limit', $filtered_limit ) ) { return $filtered_limit; } else { return false; From a5a5a23afa5e5e8ce5b90a118dc40ed2337b7e84 Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:09:08 -0500 Subject: [PATCH 07/13] Update src/wp-includes/pomo/po.php Co-authored-by: Ari Stathopoulos --- src/wp-includes/pomo/po.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/pomo/po.php b/src/wp-includes/pomo/po.php index baac15cfe8dfb..4be50a567c175 100644 --- a/src/wp-includes/pomo/po.php +++ b/src/wp-includes/pomo/po.php @@ -21,7 +21,7 @@ * which still use the old MacOS standalone `\r` as a line ending. * This fix should be revisited when PHP 9.0 is in alpha/beta. */ -if ( function_exists('ini_set') ) { +if ( function_exists( 'ini_set' ) ) { @ini_set( 'auto_detect_line_endings', 1 ); // phpcs:ignore WordPress.PHP.NoSilencedErrors.Discouraged } From bbaf5a8cc5b862ebf6f233722c6bae81bf47859c Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:09:19 -0500 Subject: [PATCH 08/13] Update src/wp-includes/load.php Co-authored-by: Ari Stathopoulos --- src/wp-includes/load.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php index 4b03ec91ff719..f849d7c1eefb5 100644 --- a/src/wp-includes/load.php +++ b/src/wp-includes/load.php @@ -620,7 +620,7 @@ function wp_debug_mode() { || ( defined( 'WP_INSTALLING' ) && WP_INSTALLING ) || wp_doing_ajax() || wp_is_json_request() ) { - if ( function_exists('ini_set') ) { + if ( function_exists( 'ini_set' ) ) { ini_set( 'display_errors', 0 ); } } From cd2ed10e80f6dc735b9aa949f10f6ddcc83e0180 Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:09:29 -0500 Subject: [PATCH 09/13] Update src/wp-includes/load.php Co-authored-by: Ari Stathopoulos --- src/wp-includes/load.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php index f849d7c1eefb5..d81254591286b 100644 --- a/src/wp-includes/load.php +++ b/src/wp-includes/load.php @@ -603,7 +603,7 @@ function wp_debug_mode() { } if ( $log_path ) { - if ( function_exists('ini_set') ) { + if ( function_exists( 'ini_set' ) ) { ini_set( 'log_errors', 1 ); ini_set( 'error_log', $log_path ); } From 6982f7a2a8d5119d3640dfc66d0deed7ea3a9100 Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:09:38 -0500 Subject: [PATCH 10/13] Update src/wp-includes/load.php Co-authored-by: Ari Stathopoulos --- src/wp-includes/load.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php index d81254591286b..59fce0c9d2927 100644 --- a/src/wp-includes/load.php +++ b/src/wp-includes/load.php @@ -585,7 +585,7 @@ function wp_debug_mode() { error_reporting( E_ALL ); if ( WP_DEBUG_DISPLAY ) { - if ( function_exists('ini_set') ) { + if ( function_exists( 'ini_set' ) ) { ini_set( 'display_errors', 1 ); } } elseif ( null !== WP_DEBUG_DISPLAY ) { From 0ccda9e1018b9cc91b506c44ee2b0a45280f134d Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Tue, 17 Sep 2024 10:09:56 -0500 Subject: [PATCH 11/13] Update src/wp-includes/functions.php Co-authored-by: Ari Stathopoulos --- src/wp-includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/functions.php b/src/wp-includes/functions.php index fd3909de35956..c50ed6d304417 100644 --- a/src/wp-includes/functions.php +++ b/src/wp-includes/functions.php @@ -7868,7 +7868,7 @@ function wp_raise_memory_limit( $context = 'admin' ) { return false; } } elseif ( -1 === $wp_max_limit_int || $wp_max_limit_int > $current_limit_int ) { - if ( function_exists('ini_set') && false !== ini_set( 'memory_limit', $wp_max_limit ) ) { + if ( function_exists( 'ini_set' ) && false !== ini_set( 'memory_limit', $wp_max_limit ) ) { return $wp_max_limit; } else { return false; From d4f07bd7438af7d4ec62e689edb04164c9338646 Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Sat, 14 Dec 2024 15:11:17 -0500 Subject: [PATCH 12/13] check to see chmod exists before using it this commit fixes bug #62693, which prevents users from uploading media to wordpress because wordpress throws a fatal error when calling 'chmod' on servers with php.ini security-hardened following best practices, which disables dangerous functions, such as exec(), chmod(), etc. * https://core.trac.wordpress.org/ticket/62693 this change doesn't make the assumption that the chmod() function is available for use; it checks it first with function_exists() --- src/wp-admin/includes/file.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php index b1ea3fba1bda2..e76f268478723 100644 --- a/src/wp-admin/includes/file.php +++ b/src/wp-admin/includes/file.php @@ -1040,7 +1040,9 @@ function wp_handle_upload_error( &$file, $message ) { // Set correct file permissions. $stat = stat( dirname( $new_file ) ); $perms = $stat['mode'] & 0000666; - chmod( $new_file, $perms ); + if( function_exists('chmod') ) { + chmod( $new_file, $perms ); + } // Compute the URL. $url = $uploads['url'] . "/$filename"; From 9e599f4128e635d71bf741df0287bba3e09f12b5 Mon Sep 17 00:00:00 2001 From: Michael Altfield Date: Sat, 14 Dec 2024 16:19:47 -0500 Subject: [PATCH 13/13] check to see chmod exists before using it this commit fixes bug #62693, which prevents users from uploading media to wordpress because wordpress throws a fatal error when calling 'chmod' on servers with php.ini security-hardened following best practices, which disables dangerous functions, such as exec(), chmod(), etc. * https://core.trac.wordpress.org/ticket/62693 this change doesn't make the assumption that the chmod() function is available for use; it checks it first with function_exists() --- src/wp-admin/includes/file.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/wp-admin/includes/file.php b/src/wp-admin/includes/file.php index e76f268478723..091317669b9b6 100644 --- a/src/wp-admin/includes/file.php +++ b/src/wp-admin/includes/file.php @@ -2021,7 +2021,9 @@ function copy_dir( $from, $to, $skip_list = array() ) { if ( 'f' === $fileinfo['type'] ) { if ( ! $wp_filesystem->copy( $from . $filename, $to . $filename, true, FS_CHMOD_FILE ) ) { // If copy failed, chmod file to 0644 and try again. - $wp_filesystem->chmod( $to . $filename, FS_CHMOD_FILE ); + if( function_exists('chmod') ) { + $wp_filesystem->chmod( $to . $filename, FS_CHMOD_FILE ); + } if ( ! $wp_filesystem->copy( $from . $filename, $to . $filename, true, FS_CHMOD_FILE ) ) { return new WP_Error( 'copy_failed_copy_dir', __( 'Could not copy file.' ), $to . $filename );