Will Textpattern break if allow_url_fopen in PHP is set to 'off'?

gaekwad · 2023-04-20 14:48:12

I’m going into some murky corners of web server security, and I’m considering setting allow_url_fopen to off in PHP. Are there are red flag considerations from a Textpattern functionality angle? Will stuff explode?

gaekwad · 2023-04-24 10:56:22

Do we use allow_url_fopen for the version update check?

Bloke · 2023-04-24 11:08:28

Sorry, I meant to reply to this.

Stuff shouldn’t break per se because I hope there’s enough defensive code in place to gracefully fail in the absence of the wrappers. But it would be a great test to see what happens when it’s turned off.

Certainly update checks try to access URLs directly as files. It’s supposed to fall back to cURL and then just fail gracefully if neither are available. Same with the 4.9.0 plugin update checks, which are based on the same code. Possibly reading plugin manifests too.

In 4.9, you also won’t be able to drag plugins from URL to install them. Same with the com_article_image plugin. Images will need to be downloaded first and dropped onto articles to upload them, as server to server via URL won’t work.

There may also be some theme related stuff that relies on it, e.g. when writing assets to and from disk, exporting themes and such like. I’m not sure how far reaching that setting is.

If it’s a sandbox environment, give it a whirl and see what happens. If it borks anywhere, by all means file issues and I’ll see if we can work around them.

Last edited by Bloke (2023-04-24 11:10:22)

phiw13 · 2023-04-24 11:10:42

I’ve seen it in use in a plug-in (glz_custum_fields) while it was checking the URL of custom scripts, etc.

gaekwad · 2023-04-24 11:38:42

Bloke wrote #335354:

If it’s a sandbox environment, give it a whirl and see what happens. If it borks anywhere, by all means file issues and I’ll see if we can work around them.

Nice one, thanks Bloke. To be continued.

gaekwad · 2023-04-24 11:58:19

OK, I’ve done the deed on php-next-demo.textpattern.co/dev/ and it will survive the splat-and-rebuild every three hours. I’m sure there was a way to force a check on version.json but I can’t find it – forum search only shows 1 post for ‘version.json’ which is clearly wrong, so I’m re-running the forum indexing now.

gaekwad · 2023-04-24 12:11:43

I’ve opened github.com/textpattern/textpattern/issues/1871 for consideration – not related to a problem as such, more an enhancement to make life a little easier if we’re debugging.

Last edited by gaekwad (2023-04-24 12:14:34)

Bloke · 2023-04-24 14:51:33

The only issue with doing that is the round trip delay, which – if the remote access is not working for some reason – will delay loading the Diagnostics panel. That’s kind of fine for a one off every hour or so, but if it’s every page load, it might start to grate if you’re debugging.

If it totally can’t fetch the remote resource, I think it’s a ten second timeout by default, if memory serves. Might be wrong, so we can certainly try it out under various situations and maybe adjust the timeout prior to the call.

gaekwad · 2023-04-24 15:53:41

Bloke wrote #335359:

The only issue with doing that is the round trip delay, which – if the remote access is not working for some reason – will delay loading the Diagnostics panel. That’s kind of fine for a one off every hour or so, but if it’s every page load, it might start to grate if you’re debugging.

Ah, yes – good point, well made.

Textpattern CMS

Textpattern CMS support forum

#1 2023-04-20 14:48:12