WordPress.org

Ready to get started?Download WordPress

Forums

ArtistDataPress
[resolved] Bypassing safe mode/open_basedir restriction (3 posts)

  1. Ryan at HostBaby
    Member
    Posted 1 year ago #

    Hey, I'm a sysadmin at a web hosting company specializing in musicians' web sites and we've had a few customers asking us about this "PHP settings are incompatible" error message, not being able to use this plugin because, like most shared hosting companies out there, we have open_basedir enabled. There's no way we can, as suggested, simply "turn off" this important security setting, with one very relevant reason being that many older WP plugins or themes have known exploits/vulnerabilities (plus a lot of other important security reasons I won't go into here), so we've had to find other solutions.

    I dug into the code and saw the only reason for this requirement was the use of curl_setopt CURLOPT_FOLLOWLOCATION, which apparently became "unsafe" in PHP 5.2.0 (according to the PHP changelog).

    My original fix for this was to go into our users' wp-admin and change the "XML feed URL" to the "final" URL (i.e. the address the original URL redirects to), then comment-out the CURLOPT_FOLLOWLOCATION line in artistdatapress.php, but I just found out today that newer versions of this plugin auto-detects open_basedir != '' and dies-out before the user can even do anything (also, if a user upgrades from a previous version, this now generates an ugly warning on their site).

    So, right now my *quick* fix for this is:

    1) copy your feed URL and go there in your browser, if the address changes and is different from the feed URL you currently have set, you'll want to copy this new "final" address and use it as the XML feed URL on this plugin's settings page.

    2) using FTP or something like http://wordpress.org/extend/plugins/advanced-code-editor/ you'll need to edit the wp-content/plugins/artistdatapress/artistdatapress.php file and make two changes:

    - in the "function options_page" block, BEFORE this line (currently line 188, as of v0.412):

    if ( $obd != '' || $safe == '1' ) {

    Add:

    $obd=$safe='';

    And towards the bottom of the file in "function get_xml", change this line (currently line 674):

    curl_setopt( $xml_url, CURLOPT_FOLLOWLOCATION, TRUE );

    to:

    //curl_setopt( $xml_url, CURLOPT_FOLLOWLOCATION, TRUE );

    .. then, as long as your XML feed URL is the final location of the feed, this should work perfectly.

    There's a more proper fix for this that the developer might want to look into (since this issue limits the number of people who can actually use this plugin, and who might possibly donate). A quick search shows there are already a few decent examples of how to work around the CURLOPT_FOLLOWLOCATION open_basedir/safe_mode restriction in the curl_setopt php.net manual page notes:
    http://php.net/manual/en/function.curl-setopt.php#102121
    http://php.net/manual/en/function.curl-setopt.php#95027

    Or, hell, if it'll be accepted, I could even write & submit a patch for this myself, because having a permanent fix in the official code means I won't have to manually fix this on our servers every time one of our customers installs/upgrades this thing :)

    http://wordpress.org/extend/plugins/artistdatapress/

  2. slushman
    Member
    Plugin Author

    Posted 1 year ago #

    Hey Ryan,
    Wow! Thanks for giving me this other perspective. I had tried another work around a versions ago, but it wasn't working, so I took it out. The two you posted here look more promising. I'll take a look and see what I can get working and post another update soon.
    Slushman

  3. slushman
    Member
    Plugin Author

    Posted 1 year ago #

    Hey Ryan,
    Finally got this resolved. Ends up, there's a WP function that can fetch external files and it doesn't require cURL and I couldn't find anyone who had server setting conflicts with it. The 0.5 update should resolve all these issues.
    Thanks for the help!
    Slushman

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic