Fixes #6141 - Warnings when print_r() is disabled for security reasons#6176
Fixes #6141 - Warnings when print_r() is disabled for security reasons#6176jimmyandrade wants to merge 5 commits intoAutomattic:masterfrom jimmyandrade:master
Conversation
Fixes a warning when a visitor submit a contact form in a website hosted with print_r disabled. (Jetpack Contact Form uses print_r to store all values in Feedback post content so that search will pick up this data).
There was a problem hiding this comment.
Honestly, this is way too complicated of a solution for a rare server configuration. If anything, I'd suggest possibly doing something like ...
$all_values_string = apply_filters( 'grunion_print_r_all_values', @print_r( $all_values, true ), $all_values );and then dropping $all_values into the line below instead. The @ should silence any warnings you may get, and the filter would let you rebuild the string for searchability manually as the code is intended to behave.
But in either case, I'm not sure if it's a good idea for us to set a precedent of working around disabling basic functions of a language.
| } | ||
|
|
||
| $post_content_string = $comment_content . "\n<!--more-->\n" . "AUTHOR: {$comment_author}\n | ||
| AUTHOR EMAIL: {$comment_author_email}\n |
There was a problem hiding this comment.
The prior string used to insert just a \n between lines, the new code does that and then also does an actual new line (I've not examined it closely enough to identify if it's \r\n or just another \n) followed by tabs. This would change it so that the formatting is not consistent with the prior entries. :\
While it is more readable in code, it's less reliable for any code trying to parse out the content (not the best way to do things, but the things I've seen ...)
There was a problem hiding this comment.
Another thing I had not paid attention to.
To keep the code readable while avoiding inconsistency in formatting, I switched to:
$post_content_string = $comment_content . "\n<!--more-->\n"
. "AUTHOR: {$comment_author}\n"
. "AUTHOR EMAIL: {$comment_author_email}\n"
. "AUTHOR URL: {$comment_author_url}\n"
. "SUBJECT: {$subject}\n"
. "IP: {$comment_author_IP}\n"
. $all_values_string;| * with this work around. */ | ||
| add_filter( 'wp_insert_post_data', array( $plugin, 'insert_feedback_filter' ), 10, 2 ); | ||
|
|
||
| $disabled_functions = explode( ',', ini_get( 'disable_functions' ) ); |
There was a problem hiding this comment.
Not the best way to do this. Any item in disable_functions can be detected as disabled by testing it against function_exists() as per https://secure.php.net/manual/en/function.function-exists.php#67947
We won't be able to redefine it, but it's a tidier way to check.
There was a problem hiding this comment.
Hey @georgestephanis. Thanks for all the feedback.
Firstly, about "rare server configuration". As I said before, Locaweb is one of the most common hosting providers in Brazil, and some of accounts are configured with print_r disabled. It is possible that other people will experience this same problem.
Regarding the use of the filter, it is really a better strategy...
$all_values_string = apply_filters( 'grunion_print_all_values', @print_r( $all_values, true ), $all_values );I did not really know that function_exists detected disabled functions, so because of your hint I've switched to:
if ( function_exists( 'print_r' ) ) {
// ...
}| $all_values_string = print_r( $all_values, true ); | ||
| } | ||
| // If print_r is disabled, try to use var_export as an alternative solution | ||
| elseif ( ! in_array( 'var_export', $disabled_functions ) ) { |
There was a problem hiding this comment.
As per WP Coding Style, conditionals should be on the same line as the prior closing brace. So this line should be:
} elseif ( ! in_array( 'var_export', $disabled_functions ) ) {with the comment either at the end of the line, or below and indented.
There was a problem hiding this comment.
Thank you! I had not realized that.
| $all_values_string = var_export( $all_values, true ); | ||
| } | ||
| else { | ||
| $all_values_string = ''; |
There was a problem hiding this comment.
If neither print_r or var_export are available, shouldn't this manually iterate through and build the string itself for searchability, rather than just setting it to empty?
There was a problem hiding this comment.
It is true. So, I wrote something like this:
$all_values_string = "Array\n(\n";
foreach ( $all_values as $key => $value ) {
$all_values_string .= "\t[$key] => $value\n";
}
$all_values_string .= ')';* Adds the @ to silence any warnings on print_r or var_export; * Adds a filter that let developers rebuild Feedback post string for searchability manually as the code is intended to behave; * Using function_exists() instead of ini_get( 'disable_functions' ) to detect if a function has been disabled; * Fixing WP Coding Style issues about conditionals and closing braces; * Added a way to iterate through Feedback data array when print_r and var_export are disabled; * Fixing an issue that could cause Feedback data formatting being not consistent, but maintaining the code readability.
jeherve
left a comment
There was a problem hiding this comment.
Thanks for taking the time to apply those changes! I have a few remarks that I added inline below. I hope this helps!
I also wanted to address your concern:
Firstly, about "rare server configuration". As I said before, Locaweb is one of the most common hosting providers in Brazil, and some of accounts are configured with
print_rdisabled. It is possible that other people will experience this same problem.
This makes me wonder if you're on an old server that hasn't been updated. The Contact Form module was introduced in Jetpack more than 4 years ago, and was available as a stand-alone plugin before that. Yet that's the first report we've had about this bug.
It might be worth asking your hosting provider if they would consider moving you to a different server where print_r isn't disabled.
| // Avoid warnings when print_r() has been disabled on hosting provider for security reasons | ||
| // function_exists will return false for functions disabled with the disable_functions ini directive | ||
| if ( function_exists( 'print_r' ) ) { | ||
| $all_values_string = apply_filters( 'grunion_print_all_values', @print_r( $all_values, true ), $all_values ); |
There was a problem hiding this comment.
Could you add a docblock before the new filter? Here is an example:
https://github.com/jimmyandrade/jetpack/blob/fa1c63e9ee9b0a2d21a0855e5f582574888554be/modules/contact-form/grunion-contact-form.php#L526-L535
You can learn more about Hook documentation standards here:
https://make.wordpress.org/core/handbook/best-practices/inline-documentation-standards/php/#4-hooks-actions-and-filters
There was a problem hiding this comment.
Yes, I did that. Thank you so much.
|
Honestly, I'm not sure if the filter is even necessary. Couldn't folks just use a core filter on insert posts of the respective post type to append the fields? I'm unsure offhand if there'd a scope concern there. |
|
@georgestephanis, I confess that I do not know the WP core filters very well. Just like you, I'm not sure either. Well... I decided to keep this filter because it might be that someone wants to customize |
* Now, function_exists is being used in a more expressive way; * When both the print_r and var_export functions are disabled, printing of the variables will be in charge of the filter grunion_print_all_values; * Added a docblock before the new grunion_print_all_values filter.
|
Awaiting review after the latest proposed changes... |
|
@jimmyandrade Can you give #6234 a shot and see if that resolves your issue please? |
|
Replaced by #6234 |
Fixes #6141 - Warnings when print_r() is disabled for security reasons
Changes proposed in this Pull Request: