Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2023-04-20 14:48:12

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

I’m going into some murky corners of web server security, and I’m considering setting allow_url_fopen to off in PHP. Are there are red flag considerations from a Textpattern functionality angle? Will stuff explode?

Offline

#2 2023-04-24 10:56:22

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

Do we use allow_url_fopen for the version update check?

Offline

#3 2023-04-24 11:08:28

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,468
Website GitHub

Re: Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

Sorry, I meant to reply to this.

Stuff shouldn’t break per se because I hope there’s enough defensive code in place to gracefully fail in the absence of the wrappers. But it would be a great test to see what happens when it’s turned off.

Certainly update checks try to access URLs directly as files. It’s supposed to fall back to cURL and then just fail gracefully if neither are available. Same with the 4.9.0 plugin update checks, which are based on the same code. Possibly reading plugin manifests too.

In 4.9, you also won’t be able to drag plugins from URL to install them. Same with the com_article_image plugin. Images will need to be downloaded first and dropped onto articles to upload them, as server to server via URL won’t work.

There may also be some theme related stuff that relies on it, e.g. when writing assets to and from disk, exporting themes and such like. I’m not sure how far reaching that setting is.

If it’s a sandbox environment, give it a whirl and see what happens. If it borks anywhere, by all means file issues and I’ll see if we can work around them.

Last edited by Bloke (2023-04-24 11:10:22)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#4 2023-04-24 11:10:42

phiw13
Plugin Author
From: Japan
Registered: 2004-02-27
Posts: 3,220
Website

Re: Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

I’ve seen it in use in a plug-in (glz_custum_fields) while it was checking the URL of custom scripts, etc.


Where is that emoji for a solar powered submarine when you need it ?
Sand space – admin theme for Textpattern

Offline

#5 2023-04-24 11:38:42

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

Bloke wrote #335354:

If it’s a sandbox environment, give it a whirl and see what happens. If it borks anywhere, by all means file issues and I’ll see if we can work around them.

Nice one, thanks Bloke. To be continued.

Offline

#6 2023-04-24 11:58:19

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

OK, I’ve done the deed on php-next-demo.textpattern.co/dev/ and it will survive the splat-and-rebuild every three hours. I’m sure there was a way to force a check on version.json but I can’t find it – forum search only shows 1 post for ‘version.json’ which is clearly wrong, so I’m re-running the forum indexing now.

Offline

#7 2023-04-24 12:11:43

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

I’ve opened github.com/textpattern/textpattern/issues/1871 for consideration – not related to a problem as such, more an enhancement to make life a little easier if we’re debugging.

Last edited by gaekwad (2023-04-24 12:14:34)

Offline

#8 2023-04-24 14:51:33

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 11,468
Website GitHub

Re: Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

The only issue with doing that is the round trip delay, which – if the remote access is not working for some reason – will delay loading the Diagnostics panel. That’s kind of fine for a one off every hour or so, but if it’s every page load, it might start to grate if you’re debugging.

If it totally can’t fetch the remote resource, I think it’s a ten second timeout by default, if memory serves. Might be wrong, so we can certainly try it out under various situations and maybe adjust the timeout prior to the call.


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#9 2023-04-24 15:53:41

gaekwad
Server grease monkey
From: People's Republic of Cornwall
Registered: 2005-11-19
Posts: 4,277
GitHub

Re: Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

Bloke wrote #335359:

The only issue with doing that is the round trip delay, which – if the remote access is not working for some reason – will delay loading the Diagnostics panel. That’s kind of fine for a one off every hour or so, but if it’s every page load, it might start to grate if you’re debugging.

Ah, yes – good point, well made.

Offline

Board footer

Powered by FluxBB