[wp-trac] [WordPress Trac] #54354: Open_basedir warnings on Classic Post edit screens with TinyMce plugins present, like TinyMce Advanced

Fri Mar 31 14:39:44 UTC 2023

#54354: Open_basedir warnings on Classic Post edit screens with TinyMce plugins
present, like TinyMce Advanced
--------------------------+---------------------
 Reporter:  rembem        |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  6.3
Component:  Editor        |     Version:  5.8.3
 Severity:  normal        |  Resolution:
 Keywords:  has-patch     |     Focuses:
--------------------------+---------------------
Changes (by sabernhardt):

 * milestone:  Awaiting Review => 6.3

Old description:

> On Post Edit screens in the backend, multiple of these 2 PHP Warnings are
> triggered in the conditions described below:
>

> {{{
> is_file(): open_basedir restriction in effect. File(/en.js) is not within
> the allowed path(s):
> is_file(): open_basedir restriction in effect. File(/en_dlg.js) is not
> within the allowed path(s):
> }}}
>

> These warnings are triggered when:
>
> 1/ Open BaseDir restrictions are present on the server.
> 2/ Classic Editor plugin is used. Possibly also with Classic block in the
> block editor (not tested)
> 2/ There is a plugin or theme that adds functionality/buttons to TinyMce,
> for example if it adds one or more buttons to the editor. This happens
> for example when the plugin Advanced Editor Tools (previously TinyMCE
> Advanced) is installed. Many themes add shortcodes to the editor as
> buttons/dropdowns, etc.
>
> The warnings are caused by line 513 of includes/class-wp-editor.php:
>
> {{{
> $path = trailingslashit( realpath( $path ) );
> }}}
>
> Here is checked if a '/langs/' path is present for the TinyMce plugin.
> If no '/langs/' path is not present, realpath() returns false, resulting
> in a $path passed to is_file() that is outside the Open BaseDir allowed
> paths.
>
> A solution would be to build in a check: not check the language paths, if
> realpath() === false.
>
> Notes:
> - I see these warning with QueryMonitor Plugin. See attached screenshot
> - Possibly the warnings are also triggered in the block editor with the
> Classic block. Did not check. Also because Advanced Editor Tools
> (previously TinyMCE Advanced) is not working well yet with WP5.8.
> - The warnings are also there in WP 5.7.x as suppressed warnings.
> - The warnings are suppressed in PHP7.x, but not in PHP8

New description:

 On Post Edit screens in the backend, multiple of these 2 PHP Warnings are
 triggered in the conditions described below:

 {{{
 is_file(): open_basedir restriction in effect. File(/en.js) is not within
 the allowed path(s):
 is_file(): open_basedir restriction in effect. File(/en_dlg.js) is not
 within the allowed path(s):
 }}}

 These warnings are triggered when:

 1. Open BaseDir restrictions are present on the server.
 2. Classic Editor plugin is used. Possibly also with Classic block in the
 block editor (not tested)
 3. There is a plugin or theme that adds functionality/buttons to TinyMCE,
 for example if it adds one or more buttons to the editor. This happens for
 example when the plugin Advanced Editor Tools (previously TinyMCE
 Advanced) is installed. Many themes add shortcodes to the editor as
 buttons/dropdowns, etc.

 The warnings are caused by line 513 of `wp-includes/class-wp-editor.php`:

 {{{
 $path = trailingslashit( realpath( $path ) );
 }}}

 Here is checked if a `/langs/` path is present for the TinyMCE plugin.
 If no `/langs/` path is not present, `realpath()` returns false, resulting
 in a `$path` passed to `is_file()` that is outside the Open BaseDir
 allowed paths.

 A solution would be to build in a check: not check the language paths, if
 `realpath() === false`.

 Notes:
 - I see these warning with Query Monitor Plugin. See attached screenshot
 - Possibly the warnings are also triggered in the block editor with the
 Classic block. Did not check. Also because Advanced Editor Tools
 (previously TinyMCE Advanced) is not working well yet with WP5.8.
 - The warnings are also there in WP 5.7.x as suppressed warnings.
 - The warnings are suppressed in PHP7.x, but not in PHP8

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54354#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform