Alexander Leidinger

Just another weblog

Aug
18

WP plu­g­ins and PHP safe_mode

Obvi­ously a lot of WP plu­gin authors do not check if their plu­gin is PHP safe_mode/open_basedir com­pat­i­ble. Yes, I know, it is dep­re­cated and does not offer 100% safety, but it is at least an addi­tional road-block in some cases and may pre­vent some mali­cious behav­ior… If I can choice between 100% break-in pos­si­bil­ity and <100% break-in pos­si­bil­ity, I chose the later.

I also think most of them also do not check with suhosin. They also fail to list other PHP exten­sion require­ments most of the time, they just assume you have a full install.

  • quick­stats wants the PHP ctype exten­sion, does not seem to play well with sql.safe_mode while the rest of WP does not seem to have an obvi­ous prob­lem with it
  • wp-stats–dash­board wants the PHP curl and json exten­sion (curl does not play well with safe_mode or open_basedir => needs to be dis­abled), needs suhosin.execu­tor.include.max_traversal set to 6; still does not work 100% cor­rect, I deleted the cache direc­tory con­tents to let it recre­ate the stats, but it still does not dis­play as much vis­its as I can see in the stats on the post­ings page
  • bot-tracker wants the PHP ses­sion extension
  • broken-link-checker tries to write to /var/tmp/ (safe_mode/open_basedir incompatible)
  • one-time-password does not play well with safe_mode/open_basedir
  • smartlinker tells me that the vari­able cook­ieString is not defined
GD Star Rat­ing
load­ing…
GD Star Rat­ing
load­ing…

Tags: , , , , , , , , ,

No Responses to “WP plu­g­ins and PHP safe_mode”

Leave a Reply