[Plugin: ArtistDataPress] Bypassing safe mode/open_basedir restriction

Hey, I’m a sysadmin at a web hosting company specializing in musicians’ web sites and we’ve had a few customers asking us about this “PHP settings are incompatible” error message, not being able to use this plugin because, like most shared hosting companies out there, we have open_basedir enabled. There’s no way we can, as suggested, simply “turn off” this important security setting, with one very relevant reason being that many older WP plugins or themes have known exploits/vulnerabilities (plus a lot of other important security reasons I won’t go into here), so we’ve had to find other solutions.

I dug into the code and saw the only reason for this requirement was the use of curl_setopt CURLOPT_FOLLOWLOCATION, which apparently became “unsafe” in PHP 5.2.0 (according to the PHP changelog).

My original fix for this was to go into our users’ wp-admin and change the “XML feed URL” to the “final” URL (i.e. the address the original URL redirects to), then comment-out the CURLOPT_FOLLOWLOCATION line in artistdatapress.php, but I just found out today that newer versions of this plugin auto-detects open_basedir != ” and dies-out before the user can even do anything (also, if a user upgrades from a previous version, this now generates an ugly warning on their site).

So, right now my *quick* fix for this is:

1) copy your feed URL and go there in your browser, if the address changes and is different from the feed URL you currently have set, you’ll want to copy this new “final” address and use it as the XML feed URL on this plugin’s settings page.

2) using FTP or something like http://wordpress.org/extend/plugins/advanced-code-editor/ you’ll need to edit the wp-content/plugins/artistdatapress/artistdatapress.php file and make two changes:

– in the “function options_page” block, BEFORE this line (currently line 188, as of v0.412):

if ( $obd != '' || $safe == '1' ) {

Add:

$obd=$safe='';

And towards the bottom of the file in “function get_xml”, change this line (currently line 674):

curl_setopt( $xml_url, CURLOPT_FOLLOWLOCATION, TRUE );

to:

//curl_setopt( $xml_url, CURLOPT_FOLLOWLOCATION, TRUE );

.. then, as long as your XML feed URL is the final location of the feed, this should work perfectly.

There’s a more proper fix for this that the developer might want to look into (since this issue limits the number of people who can actually use this plugin, and who might possibly donate). A quick search shows there are already a few decent examples of how to work around the CURLOPT_FOLLOWLOCATION open_basedir/safe_mode restriction in the curl_setopt php.net manual page notes:
http://php.net/manual/en/function.curl-setopt.php#102121
http://php.net/manual/en/function.curl-setopt.php#95027

Or, hell, if it’ll be accepted, I could even write & submit a patch for this myself, because having a permanent fix in the official code means I won’t have to manually fix this on our servers every time one of our customers installs/upgrades this thing 🙂

http://wordpress.org/extend/plugins/artistdatapress/