check if ini_set is available to prevent Fatal Errors

[maltfield]

There is a bug in phpList that causes Fatal Errors on PHP servers that have been hardened following common best-practices

    ini_set('session.name','phpListSession');

This line causes a PHP Fatal error on hardened systems with the ini_set function disabled.

PHP Fatal error:  Uncaught Error: Call to undefined function ini_set() in /path/to/public_html/lists/admin/init.php:17\\nStack trace:\\n#0 /path/to/public_html/lists/index.php(31): require_once()\\n#1 {main}\\n  thrown in /path/to/public_html/lists/admin/init.php on line 17

Why this matters

For security reasons, orgs frequently configure php.ini to be hardened by adding many dangerous functions to the disable_functions variable in the php.ini file. For example, it's common to disable the exec function

disable_functions = exec

Of course, if a php script could modify the php configuration, then it would defeat any hardening done by setting disable_functions. As such, it's common to add ini_set to the disable_functions

disable_functions = exec, ini_set

Solution

To fix the PHP Fatal error, phpList should always check to see if the ini_set function exists before attempting to call it

    if( function_exists( 'ini_set') ){
        ini_set('session.name','phpListSession');
        ini_set('session.cookie_samesite','Strict');
        ini_set('session.use_only_cookies',1);
        ini_set('session.cookie_httponly',1);
    }

[maltfield]

Note that, while this has always triggered error messages, it's only since PHP 8 that this now triggers a Fatal Error.

[bramley]

Of course, if a php script could modify the php configuration, then it would defeat any hardening done by setting disable_functions

disable_functions cannot be changed by ini_set()

[michield]

I think the point of @maltfield is that disable_functions is set outside of phpList somewhere.

Counter point would be to not disable ini_set for phpList for hardening, as it would defeat the hardening that phpList makes using it