Plugin Check for Background Manager Plugin

(@modularbase)

I performed a plugin check on my site with the Plugin-Check plugin and got the following warnings regarding the Background Manager plugin, some of which refer to “ini_set”, “eval()”, “base64_encode()” and “possible file operations” among other (full list below).

Being cautious and considering WP security, I only wish to know if these are required for the plugin’s operation or not. I investigated the plugin via FTP and it seems to have a great deal of file directories inside file directories, much more than any other of the plugins I have installed.

I would like opinions on this, please.
If this code is fine, then my apologies to the Background Manager plugin creator.

List of Warnings:

WARNING: Found ini_set in the file background-manager/vendor/Twig/lib/Twig/Autoloader.php. Themes should not change server PHP settings.

Line 25: ini_set('unserialize_callback_func', 'spl_autoload_call');

WARNING: Found ini_set in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Socket.php. Themes should not change server PHP settings.

Line 317: $track = @ini_set('track_errors', 1);

Line 329: @ini_set('track_errors', $track);

WARNING: Found ini_set in the file background-manager/vendor/OAuth/lib/HTTP/Request2.php. Themes should not change server PHP settings.

Line 963: $track = @ini_set('track_errors', 1);

Line 969: @ini_set('track_errors', $track);

WARNING: Found eval in the file background-manager/vendor/Twig/lib/Twig/Test/IntegrationTestCase.php. eval() is not allowed..

Line 70: eval('$ret = '.$condition.';');

Line 82: ), $match[2] ? eval($match[2].';') : array());

Line 108: $output = trim($template->render(eval($match[1].';')), '\n ');

WARNING: Found eval in the file background-manager/vendor/Twig/lib/Twig/Environment.php. eval() is not allowed..

Line 321: eval('?>'.$this->compileSource($this->loader->getSource($name), $name));

WARNING: Found base64_encode in the file background-manager/vendor/pf4wp/lib/Pf4wp/Common/Helpers.php. base64_encode() is not allowed.

Line 249: $slug = substr(base64_encode(md5($string)), 3, 6);

Line 317: $result = base64_encode($result);

Line 374: * @return string Base64 encoded string safe to use with <code>base64_encode()</code>

Line 461: $result = sprintf('data:%s;base64,%s', str_replace('; charset=binary', '', $mime), preg_replace('#\s#', '', base64_encode($data)));

WARNING: Found base64_encode in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Socket.php. base64_encode() is not allowed.

Line 748: 'Basic ' . base64_encode($auth['user'] . ':' . $auth['password']);

Line 797: 'Basic ' . base64_encode($user . ':' . $password);

WARNING: Found base64_encode in the file background-manager/vendor/OAuth/lib/HTTP/OAuth/Signature/HMAC/SHA1.php. base64_encode() is not allowed.

Line 56: return base64_encode(

WARNING: Found base64_decode in the file background-manager/vendor/pf4wp/lib/Pf4wp/Common/Helpers.php. base64_decode() is not allowed.

Line 348: return mcrypt_decrypt(MCRYPT_BLOWFISH, $pass_phrase, base64_decode($data), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(

Line 352: return $bf->decrypt(base64_decode($data));

WARNING: Found @exec in the file background-manager/vendor/pf4wp/lib/Pf4wp/Common/Helpers.php. PHP sytem calls should be disabled by server admins anyway!.

Line 398: @exec(sprintf('file -bi %s', escapeshellarg($file)), $mime, $exec_result);

WARNING: Both DOS and UNIX style line endings were found in the file smart-youtube/smartyoutube.php. This causes a problem with SVN repositories and must be corrected before the theme can be accepted. Please change the file to use only one style of line endings.
WARNING: fwrite was found in the file background-manager/vendor/pf4wp/lib/Pf4wp/Storage/StoragePath.php possible file operations.

Line 227: @fwrite($fp, 'deny from all');

WARNING: fwrite was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Observer/Log.php possible file operations.

Line 208: fwrite($this->target, $message . '\r\n');

WARNING: fwrite was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Socket.php possible file operations.

Line 156: if (false === @fwrite($this->socket, $headers, strlen($headers))) {

Line 907: if (false === @fwrite($this->socket, $str, strlen($str))) {

WARNING: fread was found in the file background-manager/vendor/pf4wp/lib/Pf4wp/Common/Helpers.php possible file operations.

Line 450: $data = @fread($fh, $fs);

WARNING: fread was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/MultipartBody.php possible file operations.

Line 193: $ret     .= fread($this->_uploads[$pos]['fp'], $length);

WARNING: fread was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Socket.php possible file operations.

Line 903: $str = fread($this->requestBody, $bufferSize);

Line 963: $data = $this->fread($bufferSize);

Line 965: $data    = $this->fread(min($toRead, $bufferSize));

Line 1025: * Wrapper around fread(), handles global request timeout

Line 1031: protected function fread($length)

Line 1036: $data = fread($this->socket, $length);

Line 1075: $data = $this->fread(min($this->chunkLength, $bufferSize));

WARNING: fread was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Mock.php possible file operations.

Line 166: $response->appendBody(fread($fp, 8192));

WARNING: fread was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Curl.php possible file operations.

Line 415: $this->requestBody .= fread($fp, 16384);

Line 448: $string = fread($this->requestBody, $length);

WARNING: fopen was found in the file background-manager/vendor/pf4wp/lib/Pf4wp/Storage/StoragePath.php possible file operations.

Line 226: if ($fp = @fopen($htaccess, 'w')) {

WARNING: fopen was found in the file background-manager/vendor/pf4wp/lib/Pf4wp/Common/Helpers.php possible file operations.

Line 449: if (@is_file($file) && @is_readable($file) && ($fs = @filesize($file)) > 0 && ($fh = @fopen($file, 'rb')) !== false) {

WARNING: fopen was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Observer/Log.php possible file operations.

Line 137: } elseif (false === ($this->target = @fopen($target, 'ab'))) {

WARNING: fopen was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2.php possible file operations.

Line 586: $fileData = $this->fopenWrapper($body, empty($this->headers['content-type']));

Line 649: $fileData = $this->fopenWrapper($filename, empty($contentType));

Line 663: $fileData = $this->fopenWrapper($f[0], empty($f[2]));

Line 941: * Wrapper around fopen()/fstat() used by setBody() and addUpload()

Line 949: protected function fopenWrapper($file, $detectType = false)

Line 964: if (!($fileData['fp'] = @fopen($file, 'rb'))) {

WARNING: fopen was found in the file background-manager/app/Myatu/WordPress/BackgroundManager/Main.php possible file operations.

Line 641: if (@is_file($desc_file) && ($handle = @fopen($desc_file, 'r')) != false) {

WARNING: file_put_contents was found in the file background-manager/vendor/pf4wp/lib/vendor/Symfony/Component/ClassLoader/ClassCollectionLoader.php possible file operations.

Line 183: if (false !== @file_put_contents($tmpFile, $content) && @rename($tmpFile, $file)) {

WARNING: file_put_contents was found in the file background-manager/vendor/Twig/lib/Twig/Environment.php possible file operations.

Line 1198: if (false !== @file_put_contents($tmpFile, $content)) {

WARNING: file_get_contents was found in the file tac/tac.php possible file operations.

Line 65: $file_string = file_get_contents($tfile);

WARNING: file_get_contents was found in the file smart-youtube/smartyoutube.php possible file operations.

Line 1234: $thumbs = unserialize(file_get_contents('http://vimeo.com/api/v2/video/$file.php'));

Line 1249: $thumbs = unserialize( file_get_contents( 'http://vimeo.com/api/v2/video/$file.php' ) );

WARNING: file_get_contents was found in the file background-manager/vendor/pf4wp/lib/vendor/Symfony/Component/ClassLoader/ClassCollectionLoader.php possible file operations.

Line 62: $meta = unserialize(file_get_contents($metadata));

Line 94: $c = preg_replace(array('/^\s*<\?php/', '/\?>\s*$/'), '', file_get_contents($r->getFileName()));

WARNING: file_get_contents was found in the file background-manager/vendor/pf4wp/lib/Pf4wp/Info/PluginInfo.php possible file operations.

Line 200: $source = @file_get_contents($filename, null, null, 0, 8192);

WARNING: file_get_contents was found in the file background-manager/vendor/Twig/lib/Twig/Test/IntegrationTestCase.php possible file operations.

Line 42: $test = file_get_contents($file->getRealpath());

WARNING: file_get_contents was found in the file background-manager/vendor/Twig/lib/Twig/Loader/Filesystem.php possible file operations.

Line 126: return file_get_contents($this->findTemplate($name));

WARNING: file_get_contents was found in the file background-manager/vendor/OAuth/lib/HTTP/OAuth/Provider/Request.php possible file operations.

Line 332: return file_get_contents('php://input');

WARNING: fclose was found in the file background-manager/vendor/pf4wp/lib/Pf4wp/Storage/StoragePath.php possible file operations.

Line 228: @fclose($fp);

WARNING: fclose was found in the file background-manager/vendor/pf4wp/lib/Pf4wp/Common/Helpers.php possible file operations.

Line 451: @fclose($fh);

WARNING: fclose was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Socket.php possible file operations.

Line 418: fclose($this->socket);

WARNING: fclose was found in the file background-manager/app/Myatu/WordPress/BackgroundManager/Main.php possible file operations.

Line 643: fclose($handle);

WARNING: curl_init was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Curl.php possible file operations.

Line 235: * @return   resource    a cURL handle, as created by curl_init()

Line 240: $ch = curl_init();

WARNING: curl_exec was found in the file background-manager/vendor/OAuth/lib/HTTP/Request2/Adapter/Curl.php possible file operations.

Line 195: if (false === curl_exec($ch = $this->createCurlHandle())) {

REQUIRED: add_contextual_help found in the file background-manager/vendor/pf4wp/lib/Pf4wp/Menu/StandardMenu.php. Deprecated since version 3.3. Use get_current_screen()->add_help_tab() instead.

Viewing 2 replies - 1 through 2 (of 2 total)

Anonymous User 4048828
(@anonymized-4048828)

12 years, 9 months ago
The plugin uses Symfony2 conventions regarding initialization and directory structures.

The “app” directory follows the namespace for the Background Plugin: /Myatu/WordPress/BackgroudManager/

The sub-directories within it are futher namespaces. This is because of the use of an auto-loader for files to include (namespace = directory).

The “resources” directory contains files that will be publicly accessible, such as images, javascript, and HTML.

The “vendor” directory contains 3rd party packages that the plugin needs to run:
- Pf4wp is my own plugin framework, which can be found at: https://github.com/Myatu/pf4wp. It is used as a wrapper for common WordPress functions, which may change from time to time. This helps me ensure that a change by WordPress can be propagated to all plugins based upon this framework.
- Twig is a 3rd party package by Fabien Potencier, author the Symfony2 project, and can be found here: https://github.com/fabpot/Twig. It is used to render easy-to-understand/write HTML templates/views (found in the previously mentioned “resources” directory) into actual HTML output.
- OAuth is a 3rd party package provided by Jeff Hodson: http://github.com/jeffhodsdon/HTTP_OAuth. This is used for API calls to Flickr, which requires uses OAuth to authenticate such calls.
The “store” directory is used for temporary files, mainly to cache the output generated by Twig. It is safe to delete this directory, or to mark it as “read-only” if you do not wish anything to be stored there. I opted to store these files here, rather than a specific directory within wp-content, to ensure that everything can be removed in one fell swoop should the end-user decide to do so, rather than search for various locations where it might store things.

Regarding the warnings, the base64_encode/decode is used to ensure particular output generated can be safely stored in a database, added to an URL or HTML or otherwise. No base64_encoded data is used in conjunction with “eval()”, which would otherwise be a security risk, I agree.

The “exec” function is only executed on systems that support it (and thus is safe to disable in the php.ini without it affecting the plugin). It is used to determine the MIME-type of a file, for which PHP itself has a rather poor support.

The file “smart-youtube/smartyoutube.php” is not part of Background Manager.

The last line regarding “add_contextual_help” is there to provide backward compatibility with older versions of WordPress, and is not used on newer versions.

To date there have been zero security incidents that involve the Background Manager plugin. If you feel that something in particular poses a security risk nonetheless, I will gladly address it.

If you have any questions, let me know and I’ll do my best to answer them.
Thread Starter ModularBase
(@modularbase)

12 years, 9 months ago

myatu,

I appreciate your swift reply.

(“The file “smart-youtube/smartyoutube.php” is not part of Background Manager.” – I forgot to take that one out when I pasted.)

Being as your plugin came from the depository, I didn’t think that there was anything malicious in it, but I thought I would ask in case something had been injected after I had installed your plugin, even though I have all the safe-guards recommended by WordPress, and more.

Let me say that I am very pleased with your plugin. It is an asset to my site’s design and I have had clients inquire as to implementing it in their sites.

Again, thank you for your prompt reply.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Plugin Check for Background Manager Plugin’ is closed to new replies.

Plugin Check for Background Manager Plugin

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics