Select Page

Writing my first WordPress plugin – fixing the late header injection

I’ve been hand-hacking wp-includes/pluggable.php for several releases now. It just got old – so I decided to learn to write a real plugin to move the functionality of wp_redirect into my private plugin.

Here’s the issue. I have several sites that check that a user is logged in. These use runphp or exec-php so I can write/include PHP on the page:

<?php
/* Short and sweet */
global $user_level,$post,$user_login;
// get user information
get_currentuserinfo();
echo "Please wait … securing your connection …";
if ( $user_level == 0) {
// $user_level == 0 is anonymous or not logged in user
wp_redirect(get_option(‘siteurl’) . ‘/photos/sorry’);
}
else {
// $user_level >0 means they are logged in at least
wp_redirect(get_option(‘siteurl’) . ‘/wpg2’);
}
?>

The issue I’ve always had with this is that the standard wp_redirect writes the location information cleanly; because we are already in the page (and headers have already been written) Apache throws up and kills this:

[Thu Dec 31 04:51:18 2009] [error] [client 10.0.0.1] PHP Warning:  Cannot modify header information – headers already sent by (output started at /www/foosite/wp-content/themes/regulus/header.php:5) in /www/foosite/wp-content/plugins/php-modify-headers-apache/php-modify-headers-apache.php on line 38, referer: http://foosite

The hand written fixes checked to see if headers had been sent; if so then do the naughty meta http-equiv refresh with the url instead.

if( !headers_sent() ) {
if ($is_IIS)
header("Refresh: 0;url=$location");
else
header("Location: $location");
} else
echo "<meta http-equiv='refresh' content='0;url=$location' />";
}

Testing the plugin now. Details later.

WordPress 2.9 – exec-php and header injection

Upgrades to WordPress 2.9 on several of the production blogs – and it’s the same old issue with php header injection.

I’ve blogged about this before – and raised a trac ticket. I’m probably going to write a plugin to solve this one for good.

Here’s the change – around line 863 of wp-includes/pluggable.php

/*
** Remove header injection piece - fix for exec-php
** evilzenscientist - 27 Dec 09
** originally from 28 May 08
** ref http://trac.wordpress.org/ticket/2860
        if ( $is_IIS ) {
                header("Refresh: 0;url=$location");
        } else {
                if ( php_sapi_name() != 'cgi-fcgi' )
                        status_header($status); // This causes problems on I
                header("Location: $location", true, $status);
        }
}
endif;
**
*/
/** added new header injection and refresh
** http://trac.wordpress.org/ticket/2860
** evilzenscientist - 28 May 2008
*/
if( !headers_sent() ) {
if ($is_IIS)
header("Refresh: 0;url=$location");
else
header("Location: $location");
} else
echo "<meta http-equiv='refresh' content='0;url=$location' />";
}
endif;
/** end of change */

WordPress 2.9 beta 1

WordPress 2.9 beta 1 hits the streets today.

Looks pretty nifty – and everything seems to work ok so far.

From Mark Jaquith:

http://wordpress.org/wordpress-2.9-beta-1.zip
Big features to test:
• Basic image editing (rotate, flip, resize, crop)
• Post/Page image thumbnails. Enable the admin UI by declaring support
in your theme: add_theme_support(‘post-thumbnails’);
• Trash, with undo functionality, for posts, pages, comments
• Comment Meta table and functions — like Custom Fields/postmeta but
for comments
• Easy media embeds, oEmbed — paste a URL on its own item and have it
turn into embed code
• register_theme_directory() which enables plugins to bundle their own
themes, without copying (BuddyPress, primary example)
• Combo upgrader — get notified of plugin updates in the WP core
upgrader, as well as being informed of crowd-sourced compatibility
information for the plugins.
It’s bug-fixing and polishing time! Our priorities should be, in this order:
1. Fixing regressions in old features/behaviors
2. Squashing bugs in the new features
3. Polish

Fixing WeatherIcon plugin for WordPress 2.9-rare (alpha nightlies)

Couple of changes to WordPress 2.9 coming along – including deprecating streams.php and gettext.php in the includes.

There’s a ticket on it here – http://core.trac.wordpress.org/ticket/10890

The easy fix is to comment out the lines where the modules are loaded:

WeatherIcon.php
55 # Fixes a bug in l10n.php where some guy decided there was no reason
56 # to load files which are required for their l10n functions if no
57 # language is defined in WordPress.
58 #require_once(ABSPATH . 'wp-includes/streams.php');
59 #require_once(ABSPATH . 'wp-includes/gettext.php');

WordPress 2.8.5 – beta and drop

There’s an annoying DOS for WordPress doing the rounds – it’s blockable at the edge, using .htaccess, using a plugin, hand patching or by upgrading to 2.8.5

Kudos to the team for getting on top of this.

Here’s the scoop off wp-hackers:

http://wordpress.org/wordpress-2.8.5-beta1.zip
2.8.5 will probably release sometime in the next 24 hours.  Changes since 2.8.4:
http://core.trac.wordpress.org/log/branches/2.8?action=stop_on_copy&mode=stop_on_copy&rev=12075&stop_rev=11811&limit=999
Summary:
* Fix for trackback DOS
* Removal of permalink_structure eval
* Remove some create_function() calls
* Disallow unfiltered uploads by default, even for admins. Enable it
again with define(‘ALLOW_UNFILTERED_UPLOADS’, true); in wp-config.php
* Add extra escapes here and there for some backside coverage
* Retire two old importers
* A few small bug fixes
This is mostly a security hardening release.  There’s nothing exciting
unless you are concerned about the trackback DOS bug. Anyone who wants
to DOS your blog can do it regardless, but the trackback DOS bug makes
it easier for people to be annoying.