Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-12660

Undefined offset error when phpinfo() disabled and debug enabled

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.12, 3.1.0-b4
    • Fix Version/s: 3.0.13-RC1, 3.1.0-RC1
    • Component/s: None
    • Labels:
      None

      Description

      If phpinfo() is disabled and debug is enabled, it throws this error

      [phpBB Debug] PHP Notice: in file [ROOT]/includes/acp/acp_php_info.php on line 55: Undefined offset: 0

      It is better on 3.1 because rest of the page is displayed, but I think it should be solved.

      Solution:
      open includes/acp/acp_php_info.php

      Find
      if (empty($phpinfo) || empty($output))

      Replace with
      if (empty($phpinfo) || empty($output) || empty($output[1][0]))

        Activity

        Hide
        bantu Andreas Fischer added a comment -

        Please present a valid use case for having phpinfo() disabled.

        Show
        bantu Andreas Fischer added a comment - Please present a valid use case for having phpinfo() disabled.
        Hide
        bantu Andreas Fischer added a comment -

        Won't fix for 3.0.x.

        Show
        bantu Andreas Fischer added a comment - Won't fix for 3.0.x.
        Hide
        Kamahl19 Kamahl19 added a comment -

        One of my clients using 3.0.12 contacted me that one of his ACP pages gives him nothing but error. His hosting company disabled phpinfo from security reasons. I dont understand what usecase should I provided. This is clearly a bug. In the code, there is already a trigger_error with message saying about disabled phpinfo so phpbb counts with this possibility. Check for empty array is not done properly.

        Why not for 3.0.13? It is matter of 1 line edit.

        Show
        Kamahl19 Kamahl19 added a comment - One of my clients using 3.0.12 contacted me that one of his ACP pages gives him nothing but error. His hosting company disabled phpinfo from security reasons. I dont understand what usecase should I provided. This is clearly a bug. In the code, there is already a trigger_error with message saying about disabled phpinfo so phpbb counts with this possibility. Check for empty array is not done properly. Why not for 3.0.13? It is matter of 1 line edit.
        Hide
        bantu Andreas Fischer added a comment -

        Feel free to submit a patch and we might reconsider. I don't think anyone should spent time on fixing this. We have to assume the PHP environment is working somewhat correctly. As you have said yourself, there is not proper usecase for having phpinfo disabled.

        Show
        bantu Andreas Fischer added a comment - Feel free to submit a patch and we might reconsider. I don't think anyone should spent time on fixing this. We have to assume the PHP environment is working somewhat correctly. As you have said yourself, there is not proper usecase for having phpinfo disabled.
        Hide
        Kamahl19 Kamahl19 added a comment -

        Apparently, there is proper usecase, we just dont know it. People in hosting company probably had their reasons. Moreover as I said, phpbb displays the message about phpinfo disabled, so someone developing phpbb also thought there is proper usecase for disabling phpinfo.

        I also found this in drupal documentation. "Some server administrators may choose to disable the PHP function phpinfo() for security reasons, because it displays information which can be used to compromise the server that your site is running on."

        Show
        Kamahl19 Kamahl19 added a comment - Apparently, there is proper usecase, we just dont know it. People in hosting company probably had their reasons. Moreover as I said, phpbb displays the message about phpinfo disabled, so someone developing phpbb also thought there is proper usecase for disabling phpinfo. I also found this in drupal documentation. "Some server administrators may choose to disable the PHP function phpinfo() for security reasons, because it displays information which can be used to compromise the server that your site is running on."
        Hide
        bantu Andreas Fischer added a comment -

        Okay. I see. Thanks.

        Show
        bantu Andreas Fischer added a comment - Okay. I see. Thanks.

          People

          • Assignee:
            bantu Andreas Fischer
            Reporter:
            Kamahl19 Kamahl19
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development