Unclear documentation of console.php

• Documentation (or Advocacy)

I had to break in in my test installation of Tiki 21.4 (set a temp admin pw I did not write down in my keepass).

For this scenario, there is a documentation available at
https://doc.tiki.org/Lost-admin-password

First, this document lacks the information, that console.php of a Tiki 21.4 needs to be run on at least PHP 7.1. That is not the default with every ISP, and it isn't with mine (Ionos/1&1, second largest hoster in Germany). If invoked as recommend this will yield:

<b>Parse error</b>:  syntax error, unexpected T_STRING, expecting T_CONSTANT_ENCAPSED_STRING or '(' in <b>MYHOMEDIR/agim/tiki-21.4/console.php</b> on line <b>9</b><br />

Workaround is easy, in my case, the invokation of PHP needs to be "php7.1" instead of "php". But that's dependant on a users's ISP. But I think you should state the PHP level necessary.

But invoked as PHP 7.1, console.php still won't reset the admin pw, and only yields:

Only available through command-line.

This WAS run on a command line... Inspection of console.php shows an, IMHO, unreliable CLI detection mechanism. Line 21 reads:

if (http_response_code() !== false) {
	die('Only available through command-line.');
}

So http_response_code() is assumed to be false, if run on a command line. A quick test script:

<?php
var_dump(http_response_code());
?>

yields this:

int(200)

This is in line with the PHP documentation, which says on https://www.php.net/manual/de/function.http-response-code.php

"If response_code is provided, then the previous status code will be returned. If response_code is not provided, then the current status code will be returned. Both of these values will default to a 200 status code if used in a web server environment.

false will be returned if response_code is not provided and it is not invoked in a web server environment (such as from a CLI application). true will be returned if response_code is provided and it is not invoked in a web server environment (but only when no previous response status has been set). "

As I started both scripts definitely on a command line (Linux bash window running commandline SSH!) either PHP's detection is disturbed by something, or it only tests for the presence of a web server. This environment of course contains a web server (every Tiki installation will have that), but no distinction as to that HOW php got started (invocation on CLI or invocation by Apache) is done, so it defaults to 200.

So another, more reliable detection mechanism is needed here.

Thanks

This bug has been demonstrated on show2.tiki.org

Please demonstrate your bug on show2.tiki.org