How to "replace glob() function"

surcoufy · July 28, 2010, 8:51am

Hi !
I had a security warning at the installation : "glob() has been disabled for security reasons"
I contacted my provider and he told me this function cannot be enabled in my kind of web host.

In the API.php I replaced the line 58 :
$languages = glob($path . “*.php”);
by
$languages = array (‘en.php’, ‘fr.php’);

I know it’s a makeshift job but I’m a real newbie in php… How can I replace the glob() function by an ‘homemade’ one ? because this function is used many times in piwik and my solution is not really adapted style_emoticons/<#EMO_DIR#>/blink.gif
Thanks

surcoufy · July 28, 2010, 9:52am

Sorry for the early up…
But I’ve just found that code (PHP: glob - Manual) but I don’t know how to use it…

/**#@+
 * Extra GLOB constant for safe_glob()
 */
define('GLOB_NODIR',256);
define('GLOB_PATH',512);
define('GLOB_NODOTS',1024);
define('GLOB_RECURSE',2048);
/**#@-*/

/**
 * A safe empowered glob().
 *
 * Function glob() is prohibited on some server (probably in safe mode)
 * (Message "Warning: glob() has been disabled for security reasons in
 * (script) on line (line)") for security reasons as stated on:
 * http://seclists.org/fulldisclosure/2005/Sep/0001.html
 *
 * safe_glob() intends to replace glob() using readdir() & fnmatch() instead.
 * Supported flags: GLOB_MARK, GLOB_NOSORT, GLOB_ONLYDIR
 * Additional flags: GLOB_NODIR, GLOB_PATH, GLOB_NODOTS, GLOB_RECURSE
 * (not original glob() flags)
 * @author BigueNique AT yahoo DOT ca
 * @updates
 * - 080324 Added support for additional flags: GLOB_NODIR, GLOB_PATH,
 *   GLOB_NODOTS, GLOB_RECURSE
 */
function safe_glob($pattern, $flags=0) {
    $split=explode('/',str_replace('\\','/',$pattern));
    $mask=array_pop($split);
    $path=implode('/',$split);
    if (($dir=opendir($path))!==false) {
        $glob=array();
        while(($file=readdir($dir))!==false) {
            // Recurse subdirectories (GLOB_RECURSE)
            if( ($flags&GLOB_RECURSE) && is_dir($file) && (!in_array($file,array('.','..'))) )
                $glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags),
                    ($flags&GLOB_PATH?'':$file.'/')));
            // Match file mask
            if (fnmatch($mask,$file)) {
                if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
                  && ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
                  && ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) )
                    $glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
            }
        }
        closedir($dir);
        if (!($flags&GLOB_NOSORT)) sort($glob);
        return $glob;
    } else {
        return false;
    }    
}

/**
 * A better "fnmatch" alternative for windows that converts a fnmatch
 * pattern into a preg one. It should work on PHP >= 4.0.0.
 * @author soywiz at php dot net
 * @since 17-Jul-2006 10:12
 */
if (!function_exists('fnmatch')) {
    function fnmatch($pattern, $string) {
        return @preg_match('/^' . strtr(addcslashes($pattern, '\\.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string);
    }
}

vipsoft · July 28, 2010, 9:29pm

That assumes readdir and fnmatch aren’t also disabled.

Can you output:

<?php
echo ini_get('disable_function');

surcoufy · July 28, 2010, 11:33pm

Nothing appears…
Here is the page with the code you gave me : (http://)www.oco-prod.com/output.php

But this page shows the enabled functions : (http://)p23691.yellis.net/cgi-bin/php5/i/phpinfo.php

vipsoft · July 29, 2010, 12:36am

Sorry, I typo’d while entering that message on my iPhone. It should be “disable_functions” (plural). I’ll need to see the output for the server that has glob disabled.

<?php
echo ini_get('disable_functions');

surcoufy · July 29, 2010, 4:58am

glob, highlight_file, passthru, system, leak, listen, chgrp, diskfreespace, tmpfile, link, source, show_source, exec, set_time_limit, fpaththru, virtual, popen, escapeshellcmd, dl, proc_exec, symlink, readlink, linkinfo, popen, proc_open, pfsockopen, disk_free_space, disk_total_space

vipsoft · July 29, 2010, 6:34am

Looks good.

Download the 0.7 release.

Copy that code snippet to libs/upgradephp/upgrade.php.

In the following files, rename glob to safe_glob:

core/AssetManager.php
core/Piwik.php
core/Updater.php
plugins/LanguagesManager/API.php

And you should be pretty much good to go.

surcoufy · July 29, 2010, 7:54am

I can’t install it because of file intigrity problem.
This is the message on the screen :
ile integrity check failed and reported some errors. This is most likely due to a partial or failed upload of some of the Piwik files. You should reupload all the Piwik files in BINARY mode and refresh this page until it shows no error.
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/plugins/LanguagesManager/API.php (expected length: 5347, found: 5352)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/plugins/UserCountryMap/templates/exportImage.tpl (expected length: 199, found: 191)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/plugins/UserCountryMap/templates/worldmap.tpl (expected length: 2728, found: 2651)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/core/Updater.php (expected length: 8832, found: 8837)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/core/AssetManager.php (expected length: 13361, found: 13366)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/core/Piwik.php (expected length: 41559, found: 41579)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/libs/upgradephp/upgrade.php (expected length: 17012, found: 19430)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/libs/PclZip/gnu-lgpl.txt (expected length: 26934, found: 26430)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/misc/generateDoc.bat (expected length: 117, found: 115)

surcoufy · July 29, 2010, 9:05am

The installation continues in spite of the error, but after the first start of piwik, a new error appears :

Fatal error: require() [function.require]: Failed opening required ‘/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/lang/.php’ (include_path=’.:/include:/usr/local/php/lib/php’) in /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/LanguagesManager/API.php on line 114

Warning: require(/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/lang/.php) [function.require]: failed to open stream: No such file or directory in /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/LanguagesManager/API.php on line 114

vipsoft · July 29, 2010, 2:23pm

Looks like safe_glob() isn’t a drop-in replacement for glob().

I’ll see if I can rewrite it in time for 0.9…

matthieu · July 29, 2010, 2:32pm

[quote=Surcoufy @ Jul 28 2010, 08:51 AM]Hi !
I had a security warning at the installation : "glob() has been disabled for security reasons"
I contacted my provider and he told me this function cannot be enabled in my kind of web host.[/quote]

I highly recommend you change your web host, this is not an acceptable service to disable such a critical function as glob(). There are so many good hosts out there!

surcoufy · July 29, 2010, 4:46pm

[quote=vipsoft @ Jul 29 2010, 02:23 PM) <{POST_SNAPBACK}>

Looks like safe_glob() isn’t a drop-in replacement for glob().

I’ll see if I can rewrite it in time for 0.9…

for Piwik v0.9? that will be great style_emoticons/<#EMO_DIR#>/biggrin.gif

QUOTE (matthieu @ Jul 29 2010, 02:32 PM]I highly recommend you change your web host, this is not an acceptable service to disable such a critical function as glob(). There are so many good hosts out there![/quote] They told me that I could see the datas of the other users and vice versa... if this function was'nt disabled! Several web host have already disabled this function, and that's why some scripts ask during the installation if this function is disabled by the web host...

surcoufy · August 2, 2010, 9:11pm

v0.8 works perfectly now !
great !!