Make WordPress Core

Opened 2 years ago

Closed 9 months ago

#54354 closed defect (bug) (fixed)

Open_basedir warnings on Classic Post edit screens with TinyMce plugins present, like TinyMce Advanced

Reported by: rembem's profile rembem Owned by: azaozz's profile azaozz
Milestone: 6.3 Priority: normal
Severity: normal Version: 5.8.3
Component: Editor Keywords: has-patch
Focuses: Cc:

Description (last modified by sabernhardt)

On Post Edit screens in the backend, multiple of these 2 PHP Warnings are triggered in the conditions described below:

is_file(): open_basedir restriction in effect. File(/en.js) is not within the allowed path(s): 
is_file(): open_basedir restriction in effect. File(/en_dlg.js) is not within the allowed path(s):

These warnings are triggered when:

  1. Open BaseDir restrictions are present on the server.
  2. Classic Editor plugin is used. Possibly also with Classic block in the block editor (not tested)
  3. There is a plugin or theme that adds functionality/buttons to TinyMCE, for example if it adds one or more buttons to the editor. This happens for example when the plugin Advanced Editor Tools (previously TinyMCE Advanced) is installed. Many themes add shortcodes to the editor as buttons/dropdowns, etc.

The warnings are caused by line 513 of wp-includes/class-wp-editor.php:

$path = trailingslashit( realpath( $path ) );

Here is checked if a /langs/ path is present for the TinyMCE plugin.
If no /langs/ path is not present, realpath() returns false, resulting in a $path passed to is_file() that is outside the Open BaseDir allowed paths.

A solution would be to build in a check: not check the language paths, if realpath() === false.

Notes:

  • I see these warning with Query Monitor Plugin. See attached screenshot
  • Possibly the warnings are also triggered in the block editor with the Classic block. Did not check. Also because Advanced Editor Tools (previously TinyMCE Advanced) is not working well yet with WP5.8.
  • The warnings are also there in WP 5.7.x as suppressed warnings.
  • The warnings are suppressed in PHP7.x, but not in PHP8

Attachments (3)

warning-class-wp-editor.jpg (234.9 KB) - added by rembem 2 years ago.
Screenshot QueryMonitor PHP warning
54354.diff (530 bytes) - added by MadtownLems 18 months ago.
Patch to fix attempts at opening non-existent language files that throw errors in some configurations
54354.1.diff (860 bytes) - added by azaozz 13 months ago.

Download all attachments as: .zip

Change History (14)

@rembem
2 years ago

Screenshot QueryMonitor PHP warning

#1 @MadtownLems
18 months ago

  • Version changed from 5.8.1 to 5.8.3

I'm experiencing the same errors. For me, they don't even need the Classic Editor. I'm getting them on a brand new post with the Block Editor.

It's caused by a very small custom plugin that enables rich text editing for Post Excerpts. Never saw the error before upgrading to PHP8/PHPFPM.

(Note: the error is on 6.0.3, but I can't select a version that high)

Last edited 18 months ago by MadtownLems (previous) (diff)

@MadtownLems
18 months ago

Patch to fix attempts at opening non-existent language files that throw errors in some configurations

This ticket was mentioned in Slack in #core-editor by madtownlems. View the logs.


18 months ago

#3 @MadtownLems
18 months ago

  • Keywords has-patch added

Tagging as "has-patch"

#4 @njsamsatli
13 months ago

Hi, thanks for this. I have the same error messages and applying the patch fixed it for me. Just wondering if this will make it into the next release and whether it's safe for me to keep the patch on my site.

#5 @sabernhardt
13 months ago

  • Description modified (diff)
  • Milestone changed from Awaiting Review to 6.3

@azaozz
13 months ago

#6 @azaozz
13 months ago

54354.diff looks okay imho. 54354.1.diff just saves the call to trailingslashit() if the directory doesn't exist or is not readable.

#7 @oglekler
10 months ago

  • Keywords needs-testing added

This ticket was mentioned in Slack in #core by oglekler. View the logs.


10 months ago

This ticket was mentioned in Slack in #core by audrasjb. View the logs.


9 months ago

#10 @azaozz
9 months ago

  • Keywords needs-testing removed

Re-testing this, seems to work fine and solve the reported problems.

#11 @azaozz
9 months ago

  • Owner set to azaozz
  • Resolution set to fixed
  • Status changed from new to closed

In 56235:

Editir: Fix open_basedir warnings on the classic Edit Post screen when additional TinyMCE plugins are used.

Props: rembem, MadtownLems, njsamsatli, sabernhardt, azaozz.
Fixes: #54354.

Note: See TracTickets for help on using tickets.