WP plu­gins and PHP safe_​mode

Ob­vi­ously a lot of WP plu­gin au­thors do not check if their plu­gin is PHP safe_​mode/​open_​basedir com­pat­ible. Yes, I know, it is de­prec­ated and does not of­fer 100% safety, but it is at least an ad­di­tion­al road-​block in some cases and may pre­vent some ma­li­cious be­ha­vi­or… If I can choice between 100% break-​in pos­sib­il­ity and <100% break-​in pos­sib­il­ity, I chose the later.

I also think most of them also do not check with suhos­in. They also fail to list oth­er PHP ex­ten­sion re­quire­ments most of the time, they just as­sume you have a full in­stall.

  • quick­stats wants the PHP ctype ex­ten­sion, does not seem to play well with sql.safe_mode while the rest of WP does not seem to have an ob­vi­ous prob­lem with it
  • wp-​stats–dash­board wants the PHP curl and json ex­ten­sion (curl does not play well with safe_​mode or open_​basedir => needs to be dis­abled), needs suhos­in.ex­ecut­or.include.max_traversal set to 6; still does not work 100% cor­rect, I de­leted the cache dir­ect­ory con­tents to let it re­cre­ate the stats, but it still does not dis­play as much vis­its as I can see in the stats on the post­ings page
  • bot-​tracker wants the PHP ses­sion ex­ten­sion
  • broken-​link-​checker tries to write to /​var/​tmp/​ (safe_​mode/​open_​basedir in­com­pat­ible)
  • one-​time-​password does not play well with safe_​mode/​open_​basedir
  • smart­linker tells me that the vari­able cook­i­eString is not defined

Leave a Reply

Your email address will not be published. Required fields are marked *