require_once in eval generates error while saving the list params in BE

lcollong

lcollong

FabriKant d'applications web
Hi,

On several list I have a plugin "CanDeleteRow". I use the advanced tab with the following lines :
PHP: 
require_once JPATH_LIBRARIES . '/periscolo/helpers.php';
return canDeleteClasse('{f_classes___class_id}');

Today, I edit the list to modify a typo in the "intro" in the back-end but on saving my changes it throws an ERROR 404 "non existing page".
It took me a couple of hours to figure out that the problem was the word "require_once" in the eval part of the plugin. Replacing it by "require" alone makes the list saving correctly.
It seems the mod_security Apache's module is rejecting this "particular word". As "require_once" and "include_once" are rejected whereas "include" or "require" are accepted...

Is there anything one may advertise regarding any setup in Fabrik, J! or the server to avoid this error while leaving the mod_security switched on ?
 
Nothing we can do about mod_security. You'll have to talk to your host support about turning that rule off, or do it yourself if you have a dedicated / VPS.

I suspect you may have problems using require rather than require_once, if you define a class or functions, as that plugin runs multiple times, so you'll wind up getting "cannot redefine" errors. Unless you wrap the require in a "if (!function_exists('whatever')) {...}" (or class_exists()).

The only other option would be for us to add an option to the canDelete / canEdit plugins, similar to other PHP functions, where you can optionally select a file to include, and we automatically do a require_once on that, although that's billable custom code territory.

Also, I'm looking at having a way to automatically instantiate a custom class which would always be available anywhere in Fabrik you can use custom code, but that won't happen right away.

-- hugh
 
Hi Hugh,

Thanks for the inputs. For now, as I have Cpanel access of this hosting and I can switch on/off mod_security, I turned if off while i'm doing my mods and switch it back on as soon as I've finished.... not perfect. I'm investigating a way to leg my IP pass trough the mod_security filter.

Because, yes, I can't let "require" only as the functions are called from several places, potentially on the same page.

By the way, having the option to load an external file on this kind of plugins would be nice. The condition to let the user delete or not the row is too much dependant of other functions to use the eval box. It's fair for a simple calculation or else. But if it relies on other tables or even external API calls results, it's not the right solution.

I'll wait ! :)
 
By the way, having the option to load an external file on this kind of plugins would be nice. The condition to let the user delete or not the row is too much dependant of other functions to use the eval box. It's fair for a simple calculation or else. But if it relies on other tables or even external API calls results, it's not the right solution.
Click to expand...

Well yeah, but that's what require_once is for. And that's only a problem when you have an overly aggressive mod_security rule, which isn't even doing any good (if it allows 'require' and 'include').

You should be able to look at your httpd error log and see exactly which mod_security rule is causing the problem, and just remove that rule. It'd usually be in something like /var/logs/httpd/error_log. The mod_security log entry will usually give you the regex pattern that matched (so just grep the log for require_once), and exactly which line of which conf file it's in, which you can then just comment out.

-- hugh
 
You must log in or register to reply here.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    No members online now.
    Total: 174 (members: 0, guests: 174)
    Back
    Top