CODEWITHSUNDEEP
securitytypo3php-8typo3-12.x
juku
juku

Reputation: 51

Does Typo3 12.4 works with PHP 8 and disable_functions=ini_set?

I am running a Typo3 page with some security restriction, especially my admin disabled some PHP functions for security reasons.

disable_functions=ini_set

Now I did an upgrade:

Typo3 11.5 => Typo3 12.4

PHP 7.4 => PHP 8.2

This results in fatal PHP-Errors in Bootstrap.php line 441, because ini_set is disabled.

@ini_set('display_errors', (string)$displayErrors);

https://github.com/TYPO3/typo3/blob/12.4/typo3/sysext/core/Classes/Core/Bootstrap.php

Fatal error: Uncaught Error: Call to undefined function TYPO3\CMS\Core\Core\ini_set() in /var/www/html/typo3/sysext/core/Classes/Core/Bootstrap.php:441 Stack trace: #0 /var/www/html/typo3/sysext/core/Classes/Core/Bootstrap.php(94): TYPO3\CMS\Core\Core\Bootstrap::initializeErrorHandling() #1 /var/www/html/index.php(20): TYPO3\CMS\Core\Core\Bootstrap::init(Object(Composer\Autoload\ClassLoader)) #2 /var/www/html/index.php(21): {closure}() #3 {main} thrown in /var/www/html/typo3/sysext/core/Classes/Core/Bootstrap.php on line 441

It worked under PHP 7.4 as the @ Operator let it fail in silence. But under PHP 8.2 the @ Operator does not prevent the fatal Error anymore.

Is there any documentation on disabling functions?

Is there any posibility to run a Typo3 on PHP > 8 with disabled ini_set?

I know this:

https://docs.typo3.org/m/typo3/reference-coreapi/main/en-us/Security/GuidelinesAdministrators/FurtherActions.html#security-related-php-settings

https://php.watch/versions/8.0/fatal-error-suppression

Upvotes: 1

Views: 148

Answers (2)

Mogens
Mogens

Reputation: 1181

First of all: It's always a bad idea to change core files of TYPO3. So be aware that this could lead to unexpected behaviar in your installation.

But yes - It's possible to run TYPO3 12, if ini_set is disabled in php.ini. Tested in TYPO3 12.4.14. The following requirements must be met for this to happen:

  1. First of all you need to set some variables in your php.ini

     display_errors = 0
 session.cookie_secure = 'On'
 session.cookie_httponly = 'On'
 session.cookie_samesite = 'strict'
 session.cookie_path =  '/'
 session.gc_probability = '100'
 session.gc_divisor = '100'
 session.gc_maxlifetime = '1800'

  2. If you run TYPO3 in legacy mode, you can skip this step. Using composer mode, you will get some errors installing composer on your server. To avoid this, download composer as usual:

     cd ~
 php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

    Now open the file composer-setup.php and search for the ini_set call in the setupEnvironment function. Comment that line. Now you can install composer.

     php composer-setup.php --install-dir=/usr/bin --filename=composer

    Maybe the install-dir differs on your system. Depends on the OS you are using.
    Now you should be able to use composer without any problems.

  3. Now you need to change the Bootstrap.php file:
    In legacy mode it's located in:
    typo3/sysext/core/Classes/Core/Bootstrap.php
    In composer-mode it's located in:
    vendor/typo3/cms-core/Classes/Core/Bootstrap.php

    In line 441 you need to comment the ini_set call and save the file.

  4. Now you need to change the SessionService.php file:
    In legacy mode it's located in:
    typo3/sysext/install/Classes/Service/SessionService.php
    In composer-mode it's located in:
    vendor/typo3/cms-install/Classes/Service/SessionService.php

    Comment the ini_set call's in the lines 81-89 and save the file.

If you run your system in composer-mode, i would suggest to patch your TYPO3 version with the changes of step 3 and 4. A good tutorial how to do that can be found here:
https://punkt.de/de/blog/2017/patchen-mit-composer.html

You might run in to more problems, when installing other extensions. A good way to solve the problems is:

  1. Search the code for the ini_set call
  2. Check what variable is set by the call
  3. If absolutely needed, set the variable in your php.ini
  4. Comment the ini_set call

Upvotes: 0

David
David

Reputation: 6084

I just searched in the TYPO3 source for ini_set, and this is the result:

> cd vendor/typo3
> grep -rn 'ini_set'
cms-frontend/Classes/Middleware/OutputCompression.php:54:
    @ini_set('zlib.output_compression_level', (string)$GLOBALS['TYPO3_CONF_VARS']['FE']['compressionLevel']);
cms-core/Configuration/DefaultConfigurationDescription.yaml:120:
    description: 'Integer: memory_limit in MB: If more than 16, TYPO3 will try to use ini_set() to set the memory limit of PHP to the value. This works only if the function ini_set() is not disabled by your sysadmin.'
cms-core/Classes/Core/Bootstrap.php:441:
    @ini_set('display_errors', (string)$displayErrors);
cms-core/Classes/Core/Bootstrap.php:467:
    @ini_set('memory_limit', (string)((int)$GLOBALS['TYPO3_CONF_VARS']['SYS']['setMemoryLimit'] . 'm'));
cms-backend/Classes/Middleware/OutputCompression.php:53:
    @ini_set('zlib.output_compression_level', (string)$GLOBALS['TYPO3_CONF_VARS']['BE']['compressionLevel']);
cms-install/Classes/Service/SessionService.php:82:
    ini_set('session.cookie_secure', GeneralUtility::getIndpEnv('TYPO3_SSL') ? 'On' : 'Off');
cms-install/Classes/Service/SessionService.php:83:
    ini_set('session.cookie_httponly', 'On');
cms-install/Classes/Service/SessionService.php:84:
    ini_set('session.cookie_samesite', Cookie::SAMESITE_STRICT);
cms-install/Classes/Service/SessionService.php:85:
    ini_set('session.cookie_path', (string)GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
cms-install/Classes/Service/SessionService.php:87:
    ini_set('session.gc_probability', (string)100);
cms-install/Classes/Service/SessionService.php:88:
    ini_set('session.gc_divisor', (string)100);
cms-install/Classes/Service/SessionService.php:89:
    ini_set('session.gc_maxlifetime', (string)($this->expireTimeInMinutes * 2 * 60));

I think it's probably possible to run TYPO3 without using ini_set, if you manage to avoid or circumvent all situations where it is used. Though it's a crippled system then, which disables many options, and it makes certainly some work to find for every situation the right solution.

Note that I searched in the TYPO3 source only, never have all system-extensions installed (even the most), but never verified dependencies.

Most problems makes probably the SessionService, it might be that this is the limiting class that avoids perhaps that you can run the system without ini_set if you never work with patches to manipulate the class. I didn't look into details though, so there might be a chance. Note also that manipulating the SessionService might undermine the security of your site, if you never have deep knowledge about sessions, cookies, etc., or the impact about the disabled / circumvented parts where ini_set is used usually.
Nevertheless, the SessionService is located in the install system extension only, and you could make the installation locally and upload everything then by (S)FTP, maybe even uninstall the install extension before.

The next critical part might be the class Bootstrap then, but as far as I see, there is nothing what you couldn't get running. Just avoid settings about increasing memory or settings to change compression configuration (usually no compression at all is used), also debug-output shouldn't be changed (see display_errors in my list above).

In cms-core/Configuration/DefaultConfigurationDescription.yaml:120: is even written:

This works only if the function ini_set() is not disabled by your sysadmin.

So, the chances look not so bad I think, that you can use TYPO3 without ini_set.

Upvotes: 0

Related Questions