WordPress.org

Ready to get started?Download WordPress

Forums

All-in-One Event Calendar
[resolved] [Plugin: All-in-One Calendar] Update leaves shell script (20 posts)

  1. gwc_wd
    Member
    Posted 2 years ago #

    After using the automatic updates for All-in-one-calender, I ftp'd to my site and learned it had created its own directory above the themes directory, "themes-ai1ec"

    In that directory is a subdirectory called "vortex" which includes a directory called "less"

    In that less directory is a shell script called "build-css.sh" with the following code:

    #!/bin/bash
    
    LESSC="lessc --yui-compress --include-path=."
    
    if which -s lessc; then
    	$LESSC general.less > ../css/general.css
    	$LESSC calendar.less > ../css/calendar.css
    	$LESSC event.less > ../css/event.css
    	$LESSC print.less > ../css/print.css
    else
      echo 'Error: lessc not found. Install Node.js then: npm install -g less';
    	exit 1;
    fi

    I deleted the entire structure and the plugin still appears to be working, but I am extremely concerned about any plugin that, first, is building outside the standard WordPress folder hierarchy and second, appears to be trying to execute stuff from the server command line. I've got a copy of the whole thing in a backup file if the authors need it.

    But I am immediately looking for an alternative because this kind of thing is too freakin scary.

    http://wordpress.org/extend/plugins/all-in-one-event-calendar/

  2. gwc_wd
    Member
    Posted 2 years ago #

    Update: The same stuff is replicated in the actual plugins directory in which AIC resides.

    There are also shell script files (.sh) scattered in different subdirectories.

    I did a thorough check of all my other plugins and not a single one of them includes a shell script.

    I see on the developer site they say they are moving to develop outside of the wordpress.org platform. That may explain why this extra code?

  3. Yani Iliev
    Member
    Plugin Contributor

    Posted 2 years ago #

    @gwc_wd
    Nothing to be worried about.
    1. Why did we move from wordpress.org platform?
    - People started to copy our code and sell it. Our code is free and will always be free. WordPress platform cannot protect our code from being copied and then sold and that's the reason we moved from wordpress. Again our plugin will remain free but the code cannot be sold or reused without our permission.
    2. Themes-ai1ec folder
    - WordPress themes are stored in wp-content folder, we decided to do the same with our plugin's themes and store them in themes-ai1ec folder inside wp-content folder. Why? Well this way when you update your plugin, your themes folder will not be erased/removed and any changes that you make to the plugin's theme will be preserved.
    3. Bash script
    - We are using twitter bootstrap - http://twitter.github.com/bootstrap/ - it includes a tool called less - http://lesscss.org/
    The bash script simply converts your .less files to .css files
    Why is it in the package? - to allow you develop/modify/ your own less files that will change the look and feel of your calendar theme.
    Can it be or is something calling or executing the script? - No!
    I am still afraid, can I remove it? - Yes!
    4. Themes-ai1ec that is inside wp-content/plugins/all-in-one-event-calendar folder is being copied over to wp-content/ folder, that's why there are 2 folders named themes-ai1ec available on your system.

    If you have any other concerns or questions - help.then.ly
    Your feedback is always welcome.

  4. gwc_wd
    Member
    Posted 2 years ago #

    Thank you for the reassurances.

    Just for people's information, it is entirely possible to produce a successful commercial plugin for wordpress without "moving away from the wordpress.org platform." I'm a long-time licensed user of Gravity Forms and it is body-and-and-soul for wordpress <smile>.

    Regardless, if there is a need to call plugin-specific theme files, I think it should be done from within either the plugin's own directory tree, or within the wp-content/themes directory tree and not create an entire new directory under wp-content. It is difficult enough to harden an install without having to worry about non-standard folder structures.

    About expanding people's customization abilities, does it really require the presence of shell script files? Cannot this not be made optional? Perhaps even a paid-for feature only available to your premium customers. The current method does not give the user any choice, the code is simply put on their server whether or not they intend to "develop/modify/ your own less files that will change the look and feel of your calendar theme."

    People using the free plugin get to be happy with default css that comes with the plugin while those who support development by paying get the extra benefits of Less/shell scripts.

    I very much like your plugin, so please do not misunderstand.

    My biggest concern is that over the past two months that I've had aic active, my site has been getting hit by hacker bots that hit the aic plugin folder. I'm sure this due to the fact that it was the second menu item after "Home" and not specifically directed at the plugin. And, nothing bad has happened from these attacks.

    But it does make me very sensitive about any non-standard code.

    So I've downgraded to the 1.5 version which does not do any of these things and will use it while I explore other options.

    I do wish you well on your efforts.

  5. Yani Iliev
    Member
    Plugin Contributor

    Posted 2 years ago #

    Just for people's information, it is entirely possible to produce a successful commercial plugin for wordpress without "moving away from the wordpress.org platform." I'm a long-time licensed user of Gravity Forms and it is body-and-and-soul for wordpress <smile>.

    - no, our plugin is not commercial - it is free and we want it to stay free. "moving away from the wordpress.org platform" - refers to moving the source code of the plugin from wordpress.org plugin directory to our own website, not to moving the code out of wordpress itself

    Regardless, if there is a need to call plugin-specific theme files, I think it should be done from within either the plugin's own directory tree, or within the wp-content/themes directory tree and not create an entire new directory under wp-content. It is difficult enough to harden an install without having to worry about non-standard folder structures.

    - There are new directories created in wp-content when you switch to WPMU for example, other plugins are also using wp-content, however, I'll explain why the approaches that you suggested will not work
    * store themes in plugin folder - when plugin is updated, wordpress will delete all files from the plugin's folder and the plugin's folder itself before adding the update version, so if you made any changes to a theme, all of the changes will be lost.
    * store themes in themes folder - that folder is specifically designed for wordpress themes, if you add a new folder in there, wordpress will try to parse it as a theme and since it will not be able to do so, it will list it as a broken theme.

    About expanding people's customization abilities, does it really require the presence of shell script files? Cannot this not be made optional? Perhaps even a paid-for feature only available to your premium customers. The current method does not give the user any choice, the code is simply put on their server whether or not they intend to "develop/modify/ your own less files that will change the look and feel of your calendar theme."

    - I agree, it should be separated and we will provide a new developers package probably. We don't have premium customers all of our versions are free, don't get confused by the premium version - it simply means it offers more features than the version on wordpress but it is also free and will remain free.

    People using the free plugin get to be happy with default css that comes with the plugin while those who support development by paying get the extra benefits of Less/shell scripts.

    - We want to offer for choices so that the plugin can match more designs/themes. People using the "free" version should update to the "premium" version asap. I don't see any reason not to do it - it is the actuall 1.6 version just hosted on our own server.

    My biggest concern is that over the past two months that I've had aic active, my site has been getting hit by hacker bots that hit the aic plugin folder. I'm sure this due to the fact that it was the second menu item after "Home" and not specifically directed at the plugin. And, nothing bad has happened from these attacks.

    - We take security very seriously. All vulnerability reports are being checked on the same day and if there is a problem we will release an update on the same date. Currently, the number of vulnerabilities found in the plugin is 0.

    So I've downgraded to the 1.5 version which does not do any of these things and will use it while I explore other options.

    - 1.5 is also a good version but if I were you, I'd use 1.6 :)

    I do wish you well on your efforts.

    Thank you, same to you too!

  6. NinkyNoo
    Member
    Posted 2 years ago #

    One of our many administrators (not sure who yet!? need to do some user role downgrades ASAP) upgraded the ai1ec plugin to 1.6.3 from 1.5 and now the fancy scrolling image banner on our home page is just blank and completely inop. (from the Echoes theme) I have discovered that by simply deleting the new themes-ai1ec folder the problem is fixed.

    I'm very new to WordPress (and PhP) but this strange interaction between seemingly unrelated components is both surprising and worrying.

  7. Yani Iliev
    Member
    Plugin Contributor

    Posted 2 years ago #

    @NinkyNoo
    1. We are aware of the scrolling banner issue. It will be fixed in 1.7
    2. Deleting themes-ai1ec will cause the plugin to not function correctly, in most cases the plugin will try to restore the folder by itself.
    3. This topic is about a different issue, please start a new topic next time. I also recommend you to use help.then.ly Your issue has been documented there :)

  8. flamenco
    Member
    Posted 2 years ago #

    Interesting info and reasoning. I do follow your thoughts about why to have that extra folder.

    I will still put in a vote for having a "no extra folder", no LESS or templates option, which could be maybe done via plugin admin. I am a CSS geek, but I've never had the desire to change your styling, nor have I had a request for it.

    Many plugins, I believe, store their CSS in the database, although I can see where to generate CSS from "LESS" code, there may be no other way beyond that fancy server-level stuff. But that's adding quite a bit of complication, and though LESS is very cool, I don't like it enough to warrant adding these complications to a plugin.

    I was alarmed when I saw that extra folder, and others will be, too.

    Thanks for being responsive in any case!
    Dave

  9. gwc_wd
    Member
    Posted 2 years ago #

    I do follow your thoughts about why to have that extra folder.

    I don't quite follow it.

    I'm good with the idea of keeping theme customizations through updates.

    I don't accept that means there should be a child theme folder created in the wp-content directory.

    I do not understand, if the issue is protect theme customizations, why that folder cannot be created in wp-content/themes the same as any child theme. It would be protected against update changes.

    If there is more to it than theme changes, such as trying to provide for people to change core plugin files, not theme files, then create a subfolder in the plugins directory that you don't overwrite during updates. Changing core plugin files should be an uncommon occurrence anyway, IMHO, not a "feature" to promote to the broad audience of WordPress users.

    The comparison to MU Domain Mapping is not apples-to-apples, since plugins placed in the wp-content folder were intended to be in effect network-wide, not site by site.

    I think All-in-One Event Calendar is the best event plugin actually "available. " (The pay me for most features ones are only partially available and don't add value over AI1EC as far as I can see.) I love the plugin - at v 1.5

    I'm really disappointed that they've decided to make the default distribution one that is suited for developer types rather than web admin types.

  10. lindaloustarr
    Member
    Posted 2 years ago #

    I deleted the all in one calendar a long time ago, only because it conflicted with another plugin I had to have, and this folder themes-ai1ec/vortex keeps showing up in my wp-content folder how do I get rid of it completely?
    Thank you for your kind reply :)
    Linda Lou

  11. Yani Iliev
    Member
    Plugin Contributor

    Posted 2 years ago #

    @ gwc_wd

    I don't accept that means there should be a child theme folder created in the wp-content directory.

    I do not understand, if the issue is protect theme customizations, why that folder cannot be created in wp-content/themes the same as any child theme. It would be protected against update changes.

    wp-content/themes is the themes folder used by wordpress. If we put a new folder there wordpress will read it as a wordpress theme and it will show in the list of available themes.

    then create a subfolder in the plugins directory that you don't overwrite during updates.

    - WordPress updates/upgrades unfortunately do not work this way:
    1. New plugin is downloaded in a temp dir and extracted
    2. Blog is put in maintenance mode
    3. Old plugin is disabled
    4. Old plugin is removed/deleted
    5. New plugin is copied from the tmp directory to the destination directory.
    6. Maintenance mode is removed
    7. New plugin is activated

    The comparison to MU Domain Mapping is not apples-to-apples, since plugins placed in the wp-content folder were intended to be in effect network-wide, not site by site.

    We are not placing plugin in the wp-content. If you look closely at the name "wp-content" it has content inside its name and it is meant to store content in there. We are not the first plugin using wp-content to store a folder. You are asking me why we put the folder there and I gave you a few examples and reason why but you are not saying why you don't want the folder there. Maybe we are missing what you are seeing so if you tell us, we will be happy to think of alternative solution.

    I think All-in-One Event Calendar is the best event plugin actually "available. " (The pay me for most features ones are only partially available and don't add value over AI1EC as far as I can see.) I love the plugin - at v 1.5

    1.5 is a good version but being a user of ai1ec on a daily basis you are missing alot. 1.8 version includes many features not just from a feature standpoint of view but also in terms of performance. v1.8 is the first version that runs within its own namespace so it shouldn't have conflicts with other plugins and/or themes. I understand that changing from what you are used to, to something new could be challenging but that's a move into the right direction and it will keep the progress.

    I'm really disappointed that they've decided to make the default distribution one that is suited for developer types rather than web admin types.

    - Why do you say that? Any software starts with a low level functionality that is the being built on. So the themes that you have now in 1.8 - this will be changed in 1.9 to including customizing of themes directly from admin interface. We've always wanted to keep the interface easy and yet powerful to use but it just takes time. We do not intend to make the plugin "dev" friendly but we intend to make the plugin as much user-friendly as we can.

  12. Yani Iliev
    Member
    Plugin Contributor

    Posted 2 years ago #

    @lindaloustarr
    You can delete wp-content/themes-ai1ec folder via FTP.
    v1.8 is designed in such way to not conflict with other plugins or themes. Give it a try - http://time.ly

  13. lindaloustarr
    Member
    Posted 2 years ago #

    I have deleted it ftp several times & it keeps showing up, I have been thinking it was a hack until yesterday when I did a search on it, how many times do I have to delete (been 4 so far) before it stops showing up? LOL
    Linda Lou

  14. Yani Iliev
    Member
    Plugin Contributor

    Posted 2 years ago #

    @Linda
    No, it's not a hack. That folder is needed by the plugin to function correctly. In your first message you said that you have deleted the plugin. I think that the plugin is still active and that's why you see the folder being created over and over again. Make sure that the plugin is uninstalled from your wordpress - domain.com/wp-admin -> Plugins. Let me know if you need further assistance.

  15. lindaloustarr
    Member
    Posted 2 years ago #

    thank you yani - i know now it's not a hack but I didn't before, here's a list of my plugins - you can see all-in-one calendar is not there & hasn't been for over a month - & on wednesday I deleted the themes-ai1ec folder for the fourth time :)

    akismet
    better delete revision
    cloudflare
    contact form 7
    custom login redirect
    disqus comment system
    events
    facebook
    gd star rating
    google xml sitemap for images
    google xml sitemap for videos
    google xml sitemap
    grand flash album gallery
    hello dolly
    hungryfeed
    mailchimp
    mailchimp comment optin
    no self pings
    quick page post redirect dev
    rdfa breadcrumb
    really simple captcha
    revision control
    simple mailchimp email list subscriber
    skysa app bar integration
    tentblogger optimize
    tentblogger seo categories
    tentblogger social widget
    tentblogger vimeo, youtube rss embed
    ultimate tinymce
    vslider
    wordpress seo
    wp-postratings
    wp css3 pricing tables
    wp robots txt
    yikes, inc easy mailchip extender

  16. gwc_wd
    Member
    Posted 2 years ago #

    @yani.iliev

    I'm not "a user of ai1ec on a daily basis" but just installed for a friend. A while back I finally broke down and updated them to the current version mostly to stay current against any legacy vulnerabilities that might crop up for outdated versions. Anyway, I'm sure she's got the most recent version going and has experienced no problems.

    Maybe we are missing what you are seeing so if you tell us, we will be happy to think of alternative solution.

    Your explanations all make sense to me. I actually had edited the code so that the ai1ec theme folder could live in the wp-themes folder as a child them and it worked just fine. But I get your point that if it shows up in the themes list, some admin may just try to use it as a site theme. I tried that for curiosity and other than the site not displaying, there was no harm done, so at worst it would be a momentary experiment for any admin. But, as I say, I take your point.

    My main concern about having an extra directory under the wp-content directory is that I go to a lot of trouble to secure and harden the wordpress installation. Having to worry about one more directory -- which is not at all common, despite your example -- is frustrating, particularly when that directory contains shell script files.

    the default distribution one that is suited for developer types rather than web admin types.

    - Why do you say that?

    I said it because that is basically what you told me is the reason for having the LESS system and the accompanying shell script files included in the default distribution.

    The very vast majority of WordPress admins will never use that functionality but they get it installed -- and cannot remove it -- because you told me you explicitly wish to create a development platform for others to customize. Which is a great purpose and a wonderful contribution to the community. But it does mean that web admins must receive -- and account for -- a system of files that they will never use, other than to try to prevent their misuse by malicious visitors.

    I am not in any way suggesting that ai1ec is insecure or has vulnerabilities, anymore than any other plugin or theme. I am talking about the job of proactive hardening and vulnerability prevention.

    My simple-minded thinking is that addressing all the variability of WP installs is complex enough without introducing yet more factors with novel directory structures being *required* by default, when I bet the default for more than 80% of users will be to use the package as is.

    One alternative would be to not force the wp-themes/themes-ai1ec directory *unless* a web admin actually does create it. So the plugin could look to see if it exists and if it does, then use that for the plugin's theme, but if it does not, *don't create it* and just use the theme in the plugin directory.

    Ideally I'd like to see the shell scripts and all that stuff require a separate download for the developers who want to do their own customization. If someone wants to add LESS, let them do it consciously.

    But none of my harping takes away an iota from the really outstanding work that All-in-one-event-calender represents. It is a genuinely superior product with functionality exceeding what others are selling for some surprisingly high prices.

    So good on you all at time.ly and I have nothing but positive wishes for the continued success of your project.

  17. Yani Iliev
    Member
    Plugin Contributor

    Posted 2 years ago #

    Thanks for your feedback.

    I said it because that is basically what you told me is the reason for having the LESS system and the accompanying shell script files included in the default distribution.

    The very vast majority of WordPress admins will never use that functionality but they get it installed -- and cannot remove it -- because you told me you explicitly wish to create a development platform for others to customize. Which is a great purpose and a wonderful contribution to the community. But it does mean that web admins must receive -- and account for -- a system of files that they will never use, other than to try to prevent their misuse by malicious visitors.

    - We are not shipping a shell, bat, or any other sort of scripts with v1.8 and up. We created a dev version that is available upon request.

  18. Yani Iliev
    Member
    Plugin Contributor

    Posted 2 years ago #

    @lindaloustarr
    - could it be a plugin or something else that is recovering your wp install to a particular state every X days?
    I cannot see what else could be causing this. ai1ec will do that only if it is installed and enabled but you don't even have it in your plugins folder so it must be something else. Check you wp-content/plugins folder, maybe something is left there?

  19. gwc_wd
    Member
    Posted 2 years ago #

    We are not shipping a shell, bat, or any other sort of scripts with v1.8 and up. We created a dev version that is available upon request.

    You guys are very responsive!

    Would that I could give you another 5 star rating (already did some time ago).

    @lindaloustarr

    I've probably played around with ai1ec as much as any user. I promise you there is no way at all for the plugin to recreate the directory unless it is actually installed and activated.

    It does recreate the wp-themes/themes-ai1ec directory if you have it active and manually delete that directory, because it needs that directory for its display information. So this really is not an ai1ec support issue and it becomes a matter of troubleshooting what else in your install/server/services might have this kind of effect.

    So what you are looking for is something that restores files rather than something directly related to ai1ec.

    I don't recognize most of the plugins on your list, but they don't appear to be of a kind that would recreate "missing" files or directories. Perhaps something like that is part of the Cloudflare service?

    You might find more help by posting under a general WP support topic, rather than here.

  20. lindaloustarr
    Member
    Posted 2 years ago #

    Ok, so I looked in my plugins folder there is nothing there relating to theme-ai1ec - all in one calendar but it's back again today, I took a screen shot too bad I can't send it here - but I assure you I deleted the original all in one calendar through wp deactivate then delete over a month ago & now that folder is back ! I have never had that happen with any other plugin installed then deleted, &, I optimize my database regularly . . .

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic