Workaround Possible for ini_set


#1

I have installed Piwik in the hope that it will be a good alternative to using Google Analytics but in reading posts in regards to the issue in regards to this using ini_set concerns me being a server admin.

I had disabled ini_set in my php.ini file and also denied users the ability to overide the master php.ini by writing there own.

I have now re enabled ini_set to simply test this software out to see if its even worth using and it seems that it is a great application but I am also saddened at the stance that the staff of Piwik take towards server security.

Also that you do say that you listen to your members that are using the software but simply state its a “wontfix” issue as its not important as bug fixes and the like. Sure I do understand thatyou need to get the bugs fixed as they themselves could be also security flaws but also the code that you are using in general is a security flaw well the ini_set portion is.

At the end of the day if thats what you need to use to make your software work great but at least provide a work around for people that are either

 a/ On shared Hosting Plans that are unable to change the php.ini
 b/ Simply do not wish to compromise security but enjoy the great application that you have made. 

I just believe there should be a work around either a line in a htaccess file or something that can be done. I for one will not compromise my clients accounts on my server.

To say that i have brought nothing to this fair call and I will be endeavouring to find a work around and if i find one i be too happy to post it but if anybody else at the present moment has had the same issue and has been able to find a work around to this without comprmising security I am all ears.


(Matthieu Aubry) #2

Can you do a one line summary of your complain please? what exactly is the problem?

we are VERY keen on security as per: How to configure Piwik for security - Analytics Platform - Matomo
Security - Analytics Platform - Matomo

but if we missed something let me know…


#3

[quote=matt]
Can you do a one line summary of your complain please? what exactly is the problem?

we are VERY keen on security as per: How to configure Piwik for security - Analytics Platform - Matomo
Security - Analytics Platform - Matomo

but if we missed something let me know…[/quote]

My bad i will keep my posts short so there more understandable.

ini_set = security issue why should we be forced to enable a security flaw just to run this application, Most shared Hosting providers have safe mode on and disable this function for exactly that reason…

2/ REASON - Because PHP scripts in a shared environment and I suppose even in a dedicated environment don’t need this function to work. It is an insecure function and the scripts could be written in a different way to accomplish the same thing.


(Matthieu Aubry) #4

Most shared hosts don’t use safe mode. Piwik should still work without ini_set anyway. What’s the problem then?


#5

Ok hate to treat people like there simply not listening so lets get to the images here to point out the issue

1st image is what i have when ini_set function is disabled in php.ini (Which most servers have disabled and shared hosts have safe mode that prevents the use of this function)

http://ozziecraft.net/images/before.png

This is the image of my site after enabling ini_set function

http://ozziecraft.net/images/after.png

Now to spell it out loud and clear ini_set i am led to believe a security flaw that is why it has been disabled by a lot of hosting providers my question is yet again

IS THERE A WORKAROUND TO THIS ISSUE SO NOT TO LOWER SOMEBODYS SECURITY JUST TO MAKE IT WORK?

If this has not spelt it out any clearer then i give up i will simply remove it and go with google analytics or stick Awstats


(Matthieu Aubry) #6

Sorry ini_set should be enabled definitely. However I know that in some PHP configurations the function is enabled but does not do anything, which is fine…

bottom line is: ini_set is required :slight_smile: sorry my bad!


(vipsoft) #7

The workaround is to comment out all the ini_set() calls and the check in core/testminimumphpversion
Php…

Your mileage may vary.