Ready to get started?Download WordPress


PHP Code Widget
Code-dependent save failure (7 posts)

  1. dd-b
    Posted 2 years ago #

    With the php-code widget, if I put in
    <?php echo "Coming soon"; ?>
    I get what I expect (those two words appearing in the sidebar in the right place).

    If I edit a PHP file manually and serve it through php, and put in
    <?php system("date"); ?>
    I get what I expect (the current system date at that point in the page).

    Back in the php-code widget, if I put that same exact code -- I can't save it. I click save, and it just sits there spinning the activity spinner forever. This repeats many times, and when I change the data back to something trivial the save suddenly works again.

    This is the Dreamhost PHP install, with my own WordPress install running on it. PHP isn't running in safe mode, and as I say, that "system" function works in a manually-created php file.

    Is there anything in widget content editing that might be blocking my save? And why isn't it giving me an error message if so? And how can I turn it off?


  2. Samuel Wood (Otto)
    Tech Ninja
    Plugin Author

    Posted 2 years ago #

    The widget isn't blocking your save, but the host might be. mod_security and similar things would prevent such a post from going through.

    Bet you a dollar that the same thing happens if you try to save the same content in a normal Text widget.

  3. dd-b
    Posted 2 years ago #

    You appear to be correct; I can't save it in a text widget either.

    So the block is somehow happening in the WordPress widget editing page, and it's not specific to the plugin. Note that isn't a POST, it's me as administrator of the site editing a widget.

  4. dd-b
    Posted 2 years ago #

    Oh, my. Here's one for the laugh-track:

    Whatever it is that blocks system("date") is NOT smart enough to block eval("sys" . "tem" . '(' . "'date'" . ');').

    That's a hoot! (I given that it doesn't know eval, I probably don't need the obfuscation in constructing the string, but I haven't tried that yet).

    Given that what I want to do (running "date" is just a simple test of a well-known utility, not my ultimate goal) would not be interpolating anything into the string, it's not even particularly a security hole.

  5. dd-b
    Posted 2 years ago #

    Further, at least some of the obfuscation IS necessary; using a single simple string doesn't work. <?php eval("sys" . "tem('date');"); ?> works.

  6. Samuel Wood (Otto)
    Tech Ninja
    Plugin Author

    Posted 2 years ago #

    Want a laugh? Bet you that you can't put the same exact content in a normal Post either.

    Talk to your host, tell them that their "mod_security" settings are ridiculous.

  7. Samuel Wood (Otto)
    Tech Ninja
    Plugin Author

    Posted 2 years ago #

    Oh, if you need a workaround that's a bit simpler:

    $fun = 'sys'.'tem';

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic