[Plugin: PHP Code Widget] Code-dependent save failure

  • dd-b

    (@dd-b)


    12 years, 3 months ago

    With the php-code widget, if I put in
    <?php echo "Coming soon"; ?>
    I get what I expect (those two words appearing in the sidebar in the right place).

    If I edit a PHP file manually and serve it through php, and put in
    <?php system("date"); ?>
    I get what I expect (the current system date at that point in the page).

    Back in the php-code widget, if I put that same exact code — I can’t save it. I click save, and it just sits there spinning the activity spinner forever. This repeats many times, and when I change the data back to something trivial the save suddenly works again.

    This is the Dreamhost PHP install, with my own WordPress install running on it. PHP isn’t running in safe mode, and as I say, that “system” function works in a manually-created php file.

    Is there anything in widget content editing that might be blocking my save? And why isn’t it giving me an error message if so? And how can I turn it off?

    http://wordpress.org/extend/plugins/php-code-widget/

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    12 years, 3 months ago

    The widget isn’t blocking your save, but the host might be. mod_security and similar things would prevent such a post from going through.

    Bet you a dollar that the same thing happens if you try to save the same content in a normal Text widget.

    Thread Starter dd-b

    (@dd-b)

    12 years, 3 months ago

    You appear to be correct; I can’t save it in a text widget either.

    So the block is somehow happening in the WordPress widget editing page, and it’s not specific to the plugin. Note that isn’t a POST, it’s me as administrator of the site editing a widget.

    Thread Starter dd-b

    (@dd-b)

    12 years, 3 months ago

    Oh, my. Here’s one for the laugh-track:

    Whatever it is that blocks system("date") is NOT smart enough to block eval("sys" . "tem" . '(' . "'date'" . ');').

    That’s a hoot! (I given that it doesn’t know eval, I probably don’t need the obfuscation in constructing the string, but I haven’t tried that yet).

    Given that what I want to do (running “date” is just a simple test of a well-known utility, not my ultimate goal) would not be interpolating anything into the string, it’s not even particularly a security hole.

    Thread Starter dd-b

    (@dd-b)

    12 years, 3 months ago

    Further, at least some of the obfuscation IS necessary; using a single simple string doesn’t work. <?php eval("sys" . "tem('date');"); ?> works.

    Plugin Author Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    12 years, 3 months ago

    Want a laugh? Bet you that you can’t put the same exact content in a normal Post either.

    Talk to your host, tell them that their “mod_security” settings are ridiculous.

    Plugin Author Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    12 years, 3 months ago

    Oh, if you need a workaround that’s a bit simpler:

    $fun = 'sys'.'tem';
$fun('date');
Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘[Plugin: PHP Code Widget] Code-dependent save failure’ is closed to new replies.