How to "replace glob() function"


(Surcoufy) #1

Hi !
I had a security warning at the installation : "glob() has been disabled for security reasons"
I contacted my provider and he told me this function cannot be enabled in my kind of web host.

In the API.php I replaced the line 58 :
$languages = glob($path . “*.php”);
by
$languages = array (‘en.php’, ‘fr.php’);

I know it’s a makeshift job but I’m a real newbie in php… How can I replace the glob() function by an ‘homemade’ one ? because this function is used many times in piwik and my solution is not really adapted style_emoticons/<#EMO_DIR#>/blink.gif
Thanks


(Surcoufy) #2

Sorry for the early up…
But I’ve just found that code (PHP: glob - Manual) but I don’t know how to use it…

/**#@+
 * Extra GLOB constant for safe_glob()
 */
define('GLOB_NODIR',256);
define('GLOB_PATH',512);
define('GLOB_NODOTS',1024);
define('GLOB_RECURSE',2048);
/**#@-*/

/**
 * A safe empowered glob().
 *
 * Function glob() is prohibited on some server (probably in safe mode)
 * (Message "Warning: glob() has been disabled for security reasons in
 * (script) on line (line)") for security reasons as stated on:
 * http://seclists.org/fulldisclosure/2005/Sep/0001.html
 *
 * safe_glob() intends to replace glob() using readdir() & fnmatch() instead.
 * Supported flags: GLOB_MARK, GLOB_NOSORT, GLOB_ONLYDIR
 * Additional flags: GLOB_NODIR, GLOB_PATH, GLOB_NODOTS, GLOB_RECURSE
 * (not original glob() flags)
 * @author BigueNique AT yahoo DOT ca
 * @updates
 * - 080324 Added support for additional flags: GLOB_NODIR, GLOB_PATH,
 *   GLOB_NODOTS, GLOB_RECURSE
 */
function safe_glob($pattern, $flags=0) {
    $split=explode('/',str_replace('\\','/',$pattern));
    $mask=array_pop($split);
    $path=implode('/',$split);
    if (($dir=opendir($path))!==false) {
        $glob=array();
        while(($file=readdir($dir))!==false) {
            // Recurse subdirectories (GLOB_RECURSE)
            if( ($flags&GLOB_RECURSE) && is_dir($file) && (!in_array($file,array('.','..'))) )
                $glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags),
                    ($flags&GLOB_PATH?'':$file.'/')));
            // Match file mask
            if (fnmatch($mask,$file)) {
                if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
                  && ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
                  && ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) )
                    $glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
            }
        }
        closedir($dir);
        if (!($flags&GLOB_NOSORT)) sort($glob);
        return $glob;
    } else {
        return false;
    }    
}

/**
 * A better "fnmatch" alternative for windows that converts a fnmatch
 * pattern into a preg one. It should work on PHP >= 4.0.0.
 * @author soywiz at php dot net
 * @since 17-Jul-2006 10:12
 */
if (!function_exists('fnmatch')) {
    function fnmatch($pattern, $string) {
        return @preg_match('/^' . strtr(addcslashes($pattern, '\\.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string);
    }
}

(vipsoft) #3

That assumes readdir and fnmatch aren’t also disabled.

Can you output:

<?php
echo ini_get('disable_function');

(Surcoufy) #4

Nothing appears…
Here is the page with the code you gave me : (http://)www.oco-prod.com/output.php

But this page shows the enabled functions : (http://)p23691.yellis.net/cgi-bin/php5/i/phpinfo.php


(vipsoft) #5

Sorry, I typo’d while entering that message on my iPhone. It should be “disable_functions” (plural). I’ll need to see the output for the server that has glob disabled.

<?php
echo ini_get('disable_functions');

(Surcoufy) #6

glob, highlight_file, passthru, system, leak, listen, chgrp, diskfreespace, tmpfile, link, source, show_source, exec, set_time_limit, fpaththru, virtual, popen, escapeshellcmd, dl, proc_exec, symlink, readlink, linkinfo, popen, proc_open, pfsockopen, disk_free_space, disk_total_space


(vipsoft) #7

Looks good.

Download the 0.7 release.

Copy that code snippet to libs/upgradephp/upgrade.php.

In the following files, rename glob to safe_glob:

  • core/AssetManager.php
  • core/Piwik.php
  • core/Updater.php
  • plugins/LanguagesManager/API.php

And you should be pretty much good to go.


(Surcoufy) #8

I can’t install it because of file intigrity problem.
This is the message on the screen :

ile integrity check failed and reported some errors. This is most likely due to a partial or failed upload of some of the Piwik files. You should reupload all the Piwik files in BINARY mode and refresh this page until it shows no error.
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/plugins/LanguagesManager/API.php (expected length: 5347, found: 5352)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/plugins/UserCountryMap/templates/exportImage.tpl (expected length: 199, found: 191)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/plugins/UserCountryMap/templates/worldmap.tpl (expected length: 2728, found: 2651)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/core/Updater.php (expected length: 8832, found: 8837)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/core/AssetManager.php (expected length: 13361, found: 13366)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/core/Piwik.php (expected length: 41559, found: 41579)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/libs/upgradephp/upgrade.php (expected length: 17012, found: 19430)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/libs/PclZip/gnu-lgpl.txt (expected length: 26934, found: 26430)
File size mismatch: /home/www/users/1/p/i/r/pirates/www/oco-prod.com/piwik/misc/generateDoc.bat (expected length: 117, found: 115)


(Surcoufy) #9

The installation continues in spite of the error, but after the first start of piwik, a new error appears :

Fatal error: require() [function.require]: Failed opening required ‘/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/lang/.php’ (include_path=’.:/include:/usr/local/php/lib/php’) in /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/LanguagesManager/API.php on line 114

Warning: require(/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/lang/.php) [function.require]: failed to open stream: No such file or directory in /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/LanguagesManager/API.php on line 114

Backtrace -->
#0 Piwik_ErrorHandler(2, require(/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/lang/.php) [function.require]: failed to open stream: No such file or directory, /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/LanguagesManager/API.php, 114, Array ([filenames] => Array ([0] => ,[1] => ,[2] => ,[3] => ,[4] => ,[5] => ,[6] => ,[7] => ,[8] => ,[9] => ,[10] => ,[11] => ,[12] => ,[13] => ,[14] => ,[15] => ,[16] => ,[17] => ,[18] => ,[19] => ,[20] => ,[21] => ,[22] => ,[23] => ,[24] => ,[25] => ,[26] => ,[27] => ,[28] => ,[29] => ,[30] => ,[31] => ,[32] => ,[33] => ,[34] => ,[35] => ),[languagesInfo] => Array (),[filename] => )) called at [(null):0]
#1 Piwik_LanguagesManager_API::getAvailableLanguageNames() called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/LanguagesManager/API.php:114]
#2 Piwik_LanguagesManager_API->getAvailableLanguageNames() called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/LanguagesManager/LanguagesManager.php:56]
#3 Piwik_LanguagesManager->showLanguagesSelector(Piwik_Event_Notification Object ([_notificationName] => TopMenu.add,[_notificationObject] => ,[_notificationInfo] => Array (),[_notificationState] => 0,[_notificationCount] => 2)) called at [(null):0]
#4 call_user_func_array(Array ([0] => Piwik_LanguagesManager Object (),[1] => showLanguagesSelector), Array ([0] => Piwik_Event_Notification Object ([_notificationName] => TopMenu.add,[_notificationObject] => ,[_notificationInfo] => Array (),[_notificationState] => 0,[_notificationCount] => 2))) called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/libs/Event/Dispatcher.php:284]
#5 Event_Dispatcher->postNotification(Piwik_Event_Notification Object ([_notificationName] => TopMenu.add,[_notificationObject] => ,[_notificationInfo] => Array (),[_notificationState] => 0,[_notificationCount] => 2), 1, ) called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/core/PluginsManager.php:532]
#6 Piwik_PostEvent(TopMenu.add) called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/core/Menu/Top.php:58]
#7 Piwik_Menu_Top->get() called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/core/Menu/Top.php:71]
#8 Piwik_GetTopMenu() called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/core/Controller.php:335]
#9 Piwik_Controller->setBasicVariablesView(Piwik_View Object ([] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/CoreHome/templates/index.tpl,[] => Piwik_Smarty Object ([template_dir] => Array ([0] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins,[1] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/themes/default,[2] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/themes),[compile_dir] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/tmp/templates_c,[config_dir] => configs,[plugins_dir] => Array ([0] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/core/SmartyPlugins,[1] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/libs/Smarty/plugins),[debugging] => ,[error_reporting] => 6143,[debug_tpl] => ,[debugging_ctrl] => NONE,[compile_check] => 1,[force_compile] => ,[caching] => 0,[cache_dir] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piw…
#10 Piwik_Controller->setGeneralVariablesView(Piwik_View Object ([] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/CoreHome/templates/index.tpl,[] => Piwik_Smarty Object ([template_dir] => Array ([0] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins,[1] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/themes/default,[2] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/themes),[compile_dir] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/tmp/templates_c,[config_dir] => configs,[plugins_dir] => Array ([0] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/core/SmartyPlugins,[1] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/libs/Smarty/plugins),[debugging] => ,[error_reporting] => 6143,[debug_tpl] => ,[debugging_ctrl] => NONE,[compile_check] => 1,[force_compile] => ,[caching] => 0,[cache_dir] => /home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/p…
#11 Piwik_CoreHome_Controller->getDefaultIndexView() called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/plugins/CoreHome/Controller.php:89]
#12 Piwik_CoreHome_Controller->index() called at [(null):0]
#13 call_user_func_array(Array ([0] => Piwik_CoreHome_Controller Object ([] => CoreHome,[] => 2010-07-29,[] => Piwik_Date Object ([] => 1280401298,[] => UTC),[] => 1,[] => Piwik_Site Object ([] => 1)),[1] => index), Array ()) called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/core/FrontController.php:126]
#14 Piwik_FrontController->dispatch() called at [/home/www/users/1/p/2/3/p23691/www/hotelroyalbonrepos.fr/piwik/index.php:60]


(vipsoft) #10

Looks like safe_glob() isn’t a drop-in replacement for glob().

I’ll see if I can rewrite it in time for 0.9…


(Matthieu Aubry) #11

[quote=Surcoufy @ Jul 28 2010, 08:51 AM]Hi !
I had a security warning at the installation : "glob() has been disabled for security reasons"
I contacted my provider and he told me this function cannot be enabled in my kind of web host.[/quote]

I highly recommend you change your web host, this is not an acceptable service to disable such a critical function as glob(). There are so many good hosts out there!


(Surcoufy) #12

[quote=vipsoft @ Jul 29 2010, 02:23 PM) <{POST_SNAPBACK}>

Looks like safe_glob() isn’t a drop-in replacement for glob().

I’ll see if I can rewrite it in time for 0.9…


for Piwik v0.9? that will be great style_emoticons/<#EMO_DIR#>/biggrin.gif
QUOTE (matthieu @ Jul 29 2010, 02:32 PM]I highly recommend you change your web host, this is not an acceptable service to disable such a critical function as glob(). There are so many good hosts out there![/quote] They told me that I could see the datas of the other users and vice versa... if this function was'nt disabled! Several web host have already disabled this function, and that's why some scripts ask during the installation if this function is disabled by the web host...

(Surcoufy) #13

v0.8 works perfectly now !
great !!