Hardcoded absolute path

123lb
(@123lb)

8 years, 6 months ago
Hi,

We’re evaluating Wordfence to become premium user, however there is one issue that concern us.

Our deployment model allows us to have partition style multiple paths to WordPress where at any given time only one PATH is active (live)
We deploy new code in another path, and then can switch to it with minimal downtime.

As we took a closer look at Wordfence, we realized that there are some hard-coded absoulte paths in some of files / configurations of Wordfence which would pose problems to our deployment.

For example:
The following was added to .user.ini
```
; Wordfence WAF
auto_prepend_file = '/partition1/public/wordfence-waf.php'
; END Wordfence WAF
```
Then there’s of course
```
<?php
// Before removing this file, please verify the PHP ini setting <code>auto_prepend_file</code> does not point to this.

if (file_exists('/partition1/public/wp-content/plugins/wordfence/waf/bootstrap.php')) {
        define("WFWAF_LOG_PATH", '/partition1/public/wp-content/wflogs/');
        include_once '/partition1/public/wp-content/plugins/wordfence/waf/bootstrap.php';
}
```
Also wp-content/wflogs/config.php seems to have references to this path as well in some encoded form.

Any way to have the paths replaced with relative path and not be hardcoded to absolute paths which would break when we switch to partition2 or other.

Thanks
- This topic was modified 8 years, 6 months ago by 123lb.

Viewing 5 replies - 1 through 5 (of 5 total)

wfalaa
(@wfalaa)

8 years, 6 months ago

Hi,
I know it’s quite impossible to use relative paths in .htaccess/.user.ini files and make it working as it should on all different server environments out there.

Regarding the paths in “wordfence-waf.php” file, we have a ticket opened (internal reference number: #FB6182) that should address this issue, but I’m not sure if it will make it to a new version or not, besides its ETA since some features might need further investigation and testing before implementing them in the plugin.

For now, you might consider disabling the firewall during deployment then configure it later on the live version of your website.

Thanks.

Thread Starter 123lb
(@123lb)

8 years, 6 months ago

Thanks @wfalaa for the information, much appreciated.

For now, you might consider disabling the firewall during deployment then configure it later on the live version of your website.

Can the configuration be automated? or does that have to be manual?
If manual only then it would be an issue.

Would disabling the firewall get rid of those entries?
Even the one in wp-content/wflogs/config.php?

It would be easy to script updating .user.ini and wordfence-waf.php contents, I’m not too sure about wp-content/wflogs/config.php.

Lastly are there any hard-coded absolute paths stored in the DB?

Thanks

wfalaa
(@wfalaa)

8 years, 4 months ago

Hi @123lb
Sorry for replying here too late, I was going through all threads replied by me and I noticed I missed this one by mistake, I apologize for that.

– After checking the web application firewall constants we have, I think you might find the constant define('WFWAF_ENABLED', false); helpful in your case as you showed interest in writing custom scripts that would handle that for you!

– Yes, first I recommend clicking on “Remove Extended Protection” button at the bottom of the Firewall page, then you can disable the firewall to minimize the read/write rate from/to the configuration files at “wflogs” directory.

– No, the plugin doesn’t save hard-coded paths in the database.

Thanks.

bretweinraub
(@bretweinraub)

8 years, 4 months ago

I hit this bug today.

danicholls
(@danicholls)

7 years, 11 months ago

Same here. Is there any movement on the internal ticket? Will using __DIR__ cause problems?

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Hardcoded absolute path’ is closed to new replies.