Debian Bug report logs - #686228
wordpress: plugin dirs cannot be symlinked due to plugin_basename bug

version graph

Package: wordpress; Maintainer for wordpress is Craig Small <csmall@debian.org>; Source for wordpress is src:wordpress.

Reported by: Oskar Liljeblad <oskar@osk.mine.nu>

Date: Thu, 30 Aug 2012 08:57:02 UTC

Severity: normal

Found in version wordpress/3.4.1+dfsg-1

Fixed in version wordpress/3.4.2+dfsg-1

Done: Raphaël Hertzog <hertzog@debian.org>

Bug is archived. No further changes may be made.

Forwarded to http://core.trac.wordpress.org/ticket/16953

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#686228; Package wordpress. (Thu, 30 Aug 2012 08:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Oskar Liljeblad <oskar@osk.mine.nu>:
New Bug report received and forwarded. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 30 Aug 2012 08:57:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Oskar Liljeblad <oskar@osk.mine.nu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: wordpress: plugin dirs cannot be symlinked due to plugin_basename bug
Date: Thu, 30 Aug 2012 10:27:03 +0200
Package: wordpress
Version: 3.4.1+dfsg-1
Severity: normal

With the current Debian WordPress directory layout with
/usr/share/wordpress/wp-content and /var/lib/wordpress/wp-content
(and perhaps /var/www/yoursite/wp-content) it is
basically implied that you should symlink plugin directories.
Now most plugins use plugin_basename(__FILE__) to determine their basename.
It is assumed that this function returns a relative directory, but it doesn't
if the plugin is not "physically located" in WP_PLUGIN_DIR (or WPMU_PLUGIN_DIR).
(With physically located I mean located according to realpath (without
symlinks) - the plugin may still be reachable through WP_PLUGIN_DIR.)

This patch fixes the problem but it is crude. I can imagine that there is a
better fix.  Perhaps plugins should not use __FILE__ to refer to their
location, but it seems most do.

Regards,

Oskar Liljeblad (oskar@osk.mine.nu)

--- /usr/share/wordpress/wp-includes/plugin.php.v0      2012-08-30 07:53:17.170461007 +0000
+++ /usr/share/wordpress/wp-includes/plugin.php 2012-08-30 08:10:05.126459994 +0000
@@ -565,6 +565,11 @@
        $mu_plugin_dir = str_replace('\\','/',WPMU_PLUGIN_DIR); // sanitize for Win32 installs
        $mu_plugin_dir = preg_replace('|/+|','/', $mu_plugin_dir); // remove any duplicate slash
        $file = preg_replace('#^' . preg_quote($plugin_dir, '#') . '/|^' . preg_quote($mu_plugin_dir, '#') . '/#','',$file); // get relative path from plugins dir
+       # Begin Oskar Liljeblad <oskar@vergic.com> 2012-08-30
+       $sys_plugin_dir1 = '/usr/share/wordpress/wp-content/plugins';
+       $sys_plugin_dir2 = '/var/lib/wordpress/wp-content/plugins';
+       $file = preg_replace('#^' . preg_quote($sys_plugin_dir1, '#') . '/|^' . preg_quote($sys_plugin_dir2, '#') . '/#','',$file); // get relative path from plugins dir
+       # End Oskar Liljeblad <oskar@vergic.com> 2012-08-30
        $file = trim($file, '/');
        return $file;
 }



-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#686228; Package wordpress. (Thu, 30 Aug 2012 09:27:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 30 Aug 2012 09:27:05 GMT) Full text and rfc822 format available.

Message #10 received at 686228@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Oskar Liljeblad <oskar@osk.mine.nu>, 686228@bugs.debian.org
Subject: Re: Bug#686228: wordpress: plugin dirs cannot be symlinked due to plugin_basename bug
Date: Thu, 30 Aug 2012 11:23:18 +0200
On Thu, 30 Aug 2012, Oskar Liljeblad wrote:
> Now most plugins use plugin_basename(__FILE__) to determine their basename.
> It is assumed that this function returns a relative directory, but it doesn't
> if the plugin is not "physically located" in WP_PLUGIN_DIR (or WPMU_PLUGIN_DIR).
> (With physically located I mean located according to realpath (without
> symlinks) - the plugin may still be reachable through WP_PLUGIN_DIR.)

The default value of WP_PLUGIN_DIR is (see wp-includes/default-constants.php):

    define( 'WP_PLUGIN_DIR', WP_CONTENT_DIR .  '/plugins' ); // full path, no trailing slash

And the default value of WP_CONTENT_DIR with the official Debian package
is /var/lib/wordpress/wp-content so WP_PLUGIN_DIR points to
"/var/lib/wordpress/wp-content/plugins".

Given the above, I believe that there should be no problems. Please check
that you have a correct version of /usr/share/wordpress/wp-config.php.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#686228; Package wordpress. (Thu, 30 Aug 2012 09:54:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Oskar Liljeblad <oskar@osk.mine.nu>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 30 Aug 2012 09:54:03 GMT) Full text and rfc822 format available.

Message #15 received at 686228@bugs.debian.org (full text, mbox):

From: Oskar Liljeblad <oskar@osk.mine.nu>
To: Raphael Hertzog <hertzog@debian.org>
Cc: 686228@bugs.debian.org
Subject: Re: Bug#686228: wordpress: plugin dirs cannot be symlinked due to plugin_basename bug
Date: Thu, 30 Aug 2012 11:33:25 +0200
On Thursday, August 30, 2012 at 11:18, Raphael Hertzog wrote:
> > Now most plugins use plugin_basename(__FILE__) to determine their basename.
> > It is assumed that this function returns a relative directory, but it doesn't
> > if the plugin is not "physically located" in WP_PLUGIN_DIR (or WPMU_PLUGIN_DIR).
> > (With physically located I mean located according to realpath (without
> > symlinks) - the plugin may still be reachable through WP_PLUGIN_DIR.)
> 
> The default value of WP_PLUGIN_DIR is (see wp-includes/default-constants.php):
> 
>     define( 'WP_PLUGIN_DIR', WP_CONTENT_DIR .  '/plugins' ); // full path, no trailing slash
> 
> And the default value of WP_CONTENT_DIR with the official Debian package
> is /var/lib/wordpress/wp-content so WP_PLUGIN_DIR points to
> "/var/lib/wordpress/wp-content/plugins".
> 
> Given the above, I believe that there should be no problems. Please check
> that you have a correct version of /usr/share/wordpress/wp-config.php.

Looking at the bundled plugin, akismet, I see in
/usr/share/wordpress/wp-content/plugins/akismet/admin.php at least one
plugin_basename(__FILE__).

Wouldn't this cause a problem because

  plugin_basename("/usr/share/wordpress/wp-content/plugins/akismet/admin.php")

with

  WP_PLUGIN_DIR = "/var/lib/wordpress/wp-content/plugins"

would return

  "/usr/share/wordpress/wp-content/plugins/akismet/admin.php"

And that is not a basename - it's an absolute path...

Oskar



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#686228; Package wordpress. (Thu, 30 Aug 2012 10:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 30 Aug 2012 10:48:03 GMT) Full text and rfc822 format available.

Message #20 received at 686228@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Oskar Liljeblad <oskar@osk.mine.nu>
Cc: 686228@bugs.debian.org
Subject: Re: Bug#686228: wordpress: plugin dirs cannot be symlinked due to plugin_basename bug
Date: Thu, 30 Aug 2012 12:43:51 +0200
Hi,

On Thu, 30 Aug 2012, Oskar Liljeblad wrote:
> > Given the above, I believe that there should be no problems. Please check
> > that you have a correct version of /usr/share/wordpress/wp-config.php.
> 
> Looking at the bundled plugin, akismet, I see in
> /usr/share/wordpress/wp-content/plugins/akismet/admin.php at least one
> plugin_basename(__FILE__).
> 
> Wouldn't this cause a problem because
> 
>   plugin_basename("/usr/share/wordpress/wp-content/plugins/akismet/admin.php")
> 
> with
> 
>   WP_PLUGIN_DIR = "/var/lib/wordpress/wp-content/plugins"
> 
> would return
> 
>   "/usr/share/wordpress/wp-content/plugins/akismet/admin.php"
> 
> And that is not a basename - it's an absolute path...

Right, it looks like we have to enhance plugin_basename() to be aware of the
two possible locations of plugins. :-|

I wonder if there are other similar pitfalls with this design choice.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Set Bug forwarded-to-address to 'http://core.trac.wordpress.org/ticket/16953'. Request was from Raphaël Hertzog <hertzog@debian.org> to control@bugs.debian.org. (Wed, 12 Sep 2012 12:24:03 GMT) Full text and rfc822 format available.

Reply sent to Raphaël Hertzog <hertzog@debian.org>:
You have taken responsibility. (Wed, 12 Sep 2012 13:21:06 GMT) Full text and rfc822 format available.

Notification sent to Oskar Liljeblad <oskar@osk.mine.nu>:
Bug acknowledged by developer. (Wed, 12 Sep 2012 13:21:06 GMT) Full text and rfc822 format available.

Message #27 received at 686228-close@bugs.debian.org (full text, mbox):

From: Raphaël Hertzog <hertzog@debian.org>
To: 686228-close@bugs.debian.org
Subject: Bug#686228: fixed in wordpress 3.4.2+dfsg-1
Date: Wed, 12 Sep 2012 13:17:59 +0000
Source: wordpress
Source-Version: 3.4.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
wordpress, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 686228@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Raphaël Hertzog <hertzog@debian.org> (supplier of updated wordpress package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 12 Sep 2012 14:52:14 +0200
Source: wordpress
Binary: wordpress wordpress-l10n
Architecture: source all
Version: 3.4.2+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Giuseppe Iuculano <iuculano@debian.org>
Changed-By: Raphaël Hertzog <hertzog@debian.org>
Description: 
 wordpress  - weblog manager
 wordpress-l10n - weblog manager - language files
Closes: 684628 686228
Changes: 
 wordpress (3.4.2+dfsg-1) unstable; urgency=low
 .
   * New upstream security & bugfix release.
   * Also setup languages symlink in setup-mysql. Closes: #684628
     Thanks to Jun NOGATA <nogajun@gmail.com> for the analysis.
   * Add new patch 011support-symlinks-for-plugins.patch grabbed
     in the upstream ticket to allow plugin directories to be
     symlinks (which is required for the Debian package since
     we put symlinks in /var/lib/wordpress/wp-content/plugins/).
     Closes: #686228
Checksums-Sha1: 
 394e35d18c25b199d0234884f91f0ad9c43c7bd4 2298 wordpress_3.4.2+dfsg-1.dsc
 64b160e16a9487557365870e28698b12cc6f1a9f 3857776 wordpress_3.4.2+dfsg.orig.tar.xz
 c36afeb1d74f32016b2f6e7e2c588e4379b99ed2 3895868 wordpress_3.4.2+dfsg-1.debian.tar.xz
 bd13845ce1d2febf790d19ad6180e630cf060ebc 4221826 wordpress_3.4.2+dfsg-1_all.deb
 a794bd3fd8878909df4c1d641c770db1817c5360 6438028 wordpress-l10n_3.4.2+dfsg-1_all.deb
Checksums-Sha256: 
 af14a378ab3dec1f908f0ac5353e756b60eb553878937e8c02f718436b460b3d 2298 wordpress_3.4.2+dfsg-1.dsc
 a2fd8c183a6a3e54727ccf56a57fc9b96ff914a588a0087095a8ad83a8328aa1 3857776 wordpress_3.4.2+dfsg.orig.tar.xz
 2961b84edcd8365edb9842dfca2a1670706bdbe9043a3ccf22d1863729492e9d 3895868 wordpress_3.4.2+dfsg-1.debian.tar.xz
 3d5b58538a13887e53a69196f8cf688b642f0f3b0c95d6316b42cee2d1d78ffb 4221826 wordpress_3.4.2+dfsg-1_all.deb
 eaa80006037982c3be745af1642ee9d31a9cd6ca3d99dd657982016459344cc4 6438028 wordpress-l10n_3.4.2+dfsg-1_all.deb
Files: 
 f2973d445328ed40f2f5d9708eec8edc 2298 web optional wordpress_3.4.2+dfsg-1.dsc
 0d317d89860680192478ac1c170371a4 3857776 web optional wordpress_3.4.2+dfsg.orig.tar.xz
 d18e2ddfc5dfbd93b9fb532fcc97f250 3895868 web optional wordpress_3.4.2+dfsg-1.debian.tar.xz
 f2c8701d0bc352596a801b2943702fe2 4221826 web optional wordpress_3.4.2+dfsg-1_all.deb
 c95ce9bc8a100c176f6ac857110982db 6438028 localization optional wordpress-l10n_3.4.2+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Signed by Raphael Hertzog

iQIcBAEBCAAGBQJQUIfPAAoJEOYZBF3yrHKaYkYQAJgt6wT3s+K/umLsOXUwSUbJ
mN4QmYjfFYYO3gmTtKqZ6dsaBUHsHmqIikXEkuOpOSXMvor7Vrmq/eHjyCVr462W
DgpYi6SjE3WFOw+aTRmYW5G4kmXKa+vHQlI612CNiRigFICyB6jeR36Dfg5mIxom
5pB6vLsUbXpdinMh6neHISr24dvhodevGaHT5Hq1teiOfgpn1LVBw7pg7tSNP5c3
CUsKw1GhG1QXTSDa/rS8LaSLwdFKXuDe5I/UNbSrQYSkLN+mXL3/H8VXQTg6Lgc3
V2oiv6MdwCKMUOEnAIFZvFD9P6t9rK5U2pXaFBaXBv80WdVGU9gE8aSd6GgzyqyK
NcLkqHmng4jbCbWeVrjom4LZ97dXX3OF5NXmHtYuKl5L0kfgs5wYbQiGG3JK+1Wu
p54YVHcyQ8cnSUhfI3RTX2qMsbE48spLMKAkHt3EGaGfLKYxOEKbKIPi3wYZaLT2
pAh/TjiiVBppfAusvz2FDZ8c6eZTKZg7HcQO+f5HZiFQSlX5sHzKoCAwlJ/kOmQR
8LyzJGs40xhMDRvyItumRJFj6rvu4G7QXEBszLaMzRp2wxRiYKIBkbx5uNrH5aAc
vvnYJOXgpiQj3sdK3rNVB55D5DM/uVDpgDC7K4zv3RTlWhz0Qz586vIKzNrKbibl
FaKj0658ci7YOqv0cuJX
=3iHN
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#686228; Package wordpress. (Wed, 12 Sep 2012 13:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Wed, 12 Sep 2012 13:36:03 GMT) Full text and rfc822 format available.

Message #32 received at 686228@bugs.debian.org (full text, mbox):

From: Raphael Hertzog <hertzog@debian.org>
To: Oskar Liljeblad <oskar@osk.mine.nu>
Cc: 686228@bugs.debian.org
Subject: Re: Bug#686228: wordpress: plugin dirs cannot be symlinked due to plugin_basename bug
Date: Wed, 12 Sep 2012 15:34:09 +0200
Hello,

On Thu, 30 Aug 2012, Raphael Hertzog wrote:
> Right, it looks like we have to enhance plugin_basename() to be aware of the
> two possible locations of plugins. :-|

I released 3.4.2+dfsg-1 with a fix for this issue. Can you verify whether
the fix works for you?

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Get the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/



Information forwarded to debian-bugs-dist@lists.debian.org, Giuseppe Iuculano <iuculano@debian.org>:
Bug#686228; Package wordpress. (Thu, 11 Oct 2012 11:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Oskar Liljeblad <oskar@osk.mine.nu>:
Extra info received and forwarded to list. Copy sent to Giuseppe Iuculano <iuculano@debian.org>. (Thu, 11 Oct 2012 11:39:06 GMT) Full text and rfc822 format available.

Message #37 received at 686228@bugs.debian.org (full text, mbox):

From: Oskar Liljeblad <oskar@osk.mine.nu>
To: Raphael Hertzog <hertzog@debian.org>
Cc: 686228@bugs.debian.org
Subject: Re: Bug#686228: wordpress: plugin dirs cannot be symlinked due to plugin_basename bug
Date: Thu, 11 Oct 2012 13:04:37 +0200
On Wednesday, September 12, 2012 at 15:09, Raphael Hertzog wrote:

> > Right, it looks like we have to enhance plugin_basename() to be aware of the
> > two possible locations of plugins. :-|
> 
> I released 3.4.2+dfsg-1 with a fix for this issue. Can you verify whether
> the fix works for you?

It seems to work. Thanks!

Oskar



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 09 Nov 2012 07:26:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:11:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.