patrickwgs
Forum Replies Created
-
Forum: Plugins
In reply to: [Query Monitor] Payload sizeOk thank you! I’ll see how I can leverage that 🙂
Forum: Plugins
In reply to: [WP REST Cache] Adding WooCommerce endpoint isn’t workingOk so I’m an idiot in 2 folds:
1) I needed to add
add_filter( 'wp_rest_cache/skip_nonce_caching' ,'__return_false');
2) this needs to go into mu-plugin, otherwise it’s too late when the theme’s function.php is loaded!Thank you for that kickass plugin!
Using the filter works! I’m using Lambda’s temporary file so i’m not sure it’s a super good idea long term as this “cache” will have to be recreated all the time. However, it works for now.
But WordPress (and by extension, plugins) needs that write permission already, so I’m not sure if there’s a difference between uploads and plugins.
It does if you leave auto-updating on and keep a completely vanilla wordpress install. I don’t think anyone can argue that doing that in a serious production environment is a good idea. Most serious project have the code in source control (including plugins) or use something like Bedrock to leverage composer.
In this case the site can (and should) be read only except for
uploadsNo, the plugin needs read & write access to that folder, not just for ‘cache’, but also for the attachment PDF files themselves (the email process needs to be able to read an actual file on the majority of setups).
To be clear, there is no problem writing and/or reading any kind of files here (PDF or otherwise). The problem stems from using
requirefor a.phpfile which is disallowed because, in this case, the upload folder is a remote location.Can you tell me how that’s riskier than requiring it from wp-content/plugins? The required permissions are the same.
Several problems, depending on the quality of the host.
1) Normally you’d expect PHP (at least for security minded people) production to have NO write permission on any source file of PHP. This way if a plugin is updated with a security issue, no files can be modified / created.2) Even if 1 is taken care of, in shared environments, ideally each site would run a separate FPM *nix user. I suspect it’s largely not the case. This put people at risk, since one hacked site can then change the php from every single upload directory on the server and inject its malicious payloads.
That’s the 2 things that come to mind but a more skilled infoSec would probably come with many other ideas 🙂
Thank you for creating the pull request – I’ll try the filter in the meantime!
I just realized the PDF creation isn’t working either.
wp-content/uploadsis writable – the media library works as expected.Is there a way to bypass this cache creation ? It’s a little risky to have the plugin able to require a php file from
wp-content/uploads, imho.@nawawijamili Yup, that fixed it!
Thanks!
Sorry for the delay Nawali,
With the same config as above,
Config::define('DOCKET_CACHE_CONTENT_PATH','/var/www/html/wordpress/web/app/cache/docket-cache-content'); Config::define('DOCKET_CACHE_DATA_PATH','/var/www/html/wordpress/web/app/cache/docket-cache-data'); Config::define('DOCKET_CACHE_PATH','/var/www/html/wordpress/web/app/cache/docket-cache'); Config::define('DOCKET_CACHE_DISABLED', false);Now it works, but DOCKET_CACHE_PATH is still not respected and puts it in the cache content folder:
Cache Writable Yes Cache Files Limit 410 / 50000 Cache Disk Limit 2M / 500M Cache Path /app/cache/docket-cache-content/cache/docket-cachetouch(): Utime failed: Operation not permitted app/plugins/docket-cache/includes/src/Filesystem.php is still there, however, line 500 this time.
Thanks!
I see this too on query monitor:
touch(): Utime failed: Operation not permitted app/plugins/docket-cache/includes/src/Filesystem.php:453Probably related to permission issues
Fixed it. My production site is quite buttoned-down and permissions are tight. I think it couldn’t create the directories properly. I manually created the directories and it worked.
If I may suggest, it would be great to do a sanity check when you get on the config page and check if the directories exist and if not, the error message of why it wasn’t able to create it.
Thank you for the help!
Thanks – It was defined but set to false – I think it doesn’t check the value of the constant – only if defined.
I played around with the config files and the Cache path seems broken. This is what I have defined:
Config::define('DOCKET_CACHE_CONTENT_PATH','/var/www/html/wordpress/web/app/cache/docket-cache-content'); Config::define('DOCKET_CACHE_DATA_PATH','/var/www/html/wordpress/web/app/cache/docket-cache-data'); Config::define('DOCKET_CACHE_PATH','/var/www/html/wordpress/web/app/cache/docket-cache');Yet Cache path seems incorrect:
Cache Path /app/cache/docket-cache-content/cache/docket-cacheWeb Server nginx / 1.18.0 PHP SAPI 7.4.15 / fpm-fcgi Object Cache Stats 4M object of 2312 files Object OPcache Stats 9M memory of 2109 files WP OPcache Stats 105M memory of 4032 files PHP Memory Limit 256M WP Frontend Memory Limit 40M WP Backend Memory Limit 256M Drop-in Writable Yes Drop-in File /app/cache/docket-cache-content/object-cache.php Drop-in use Wrapper Yes Drop-in Wrapper Available Yes Drop-in Wrapper File /app/object-cache.php Cache Writable Yes Cache Files Limit 2312 / 50000 Cache Disk Limit 6M / 500M Cache Path /app/cache/docket-cache-content/cache/docket-cache Config Writable Yes Config Path /app/cache/docket-cache-dataThank you for your support Nawawi!