It seems that there's no check that the $translation_file variable is indeed a filepath within the website filesystem.
Could you fix the problem with a solution like this that checks if the file is within the WP installation path and checks its existence before trying to guess the path using the realpath function:
// Normalize the translation_file path and the WordPress root path
$normalized_wp_root= wp_normalize_path( ABSPATH );
$normalized_path = wp_normalize_path($translation_file );
// Check if the given path is within the WordPress filesystem
if (strpos($normalized_path, $normalized_wp_root) === 0) {
// Check if the path points to a file
if (is_file($normalized_path)) {
$translation_file = realpath( $translation_file );
} else {
$translation_file = false;
}
Thank you for contacting WPML Support, I will gladly help you.
1) I would suggest initially checking the open_basedir setting on the server side.
2) After, check if the issue happens in a minimal setup, meaning:
- set a default WP theme
- keep active WPML, WCML plugins, and must-have plugins
- disable all the other plugins
After, check if the issue persists.
3) Please note that our Support Policy does not cover custom coding, the code below is just an example with minor changes, which we suggest testing in a staging environment:
// Normalize the translation_file path and the WordPress root path
$normalized_wp_root = wp_normalize_path(ABSPATH);
$normalized_path = wp_normalize_path($translation_file);
// Check if the given path is within the WordPress filesystem
if (strpos($normalized_path, $normalized_wp_root) === 0) {
// Check if the path points to a file
if (is_file($normalized_path)) {
// Securely resolve the real path
$translation_file = realpath($normalized_path);
} else {
// Set to false if not a valid file
$translation_file = false;
// Optionally log or handle the error when the file does not exist
error_log("WPML Translation error: File does not exist at path '{$normalized_path}'.");
}
} else {
// Set to false if the path is outside the WordPress installation
$translation_file = false;
// Optionally log or handle the error for security or misconfiguration issues
error_log("WPML Translation error: File path '{$normalized_path}' is outside the allowed WordPress directory.");
}
// Continue with your logic, ensuring $translation_file is checked for validity
if ($translation_file !== false) {
// Process the valid translation file
} else {
// Handle the case where no valid file was found or set
}
--- * Please note that the code provided might not work or even break your website, so in case things still don’t work or in case you feel that you need more help with this, we recommend that you hire a developer or a WPML contractor (https://wpml.org/contractors).
We've very aware of our server setup, which is set to not accept files creation in the server's root folder, since it's a major security isssue.
Yes, these issues occur with only WPML plugins enabled, and default theme.
Obviously, the code you provide is ours. So yes, it works.
Now, do you consider adding it to WPML's code base? Or are you suggesting that we add it manually?
We re not willing to patch WPML's code upon every plugin update, especially when it's about fixing a security issue. The fix should rather be implemented directly in your code base.
It's been over two weeks I noticed you with this issue.
I think the request is legitimate.
You should seen how many such errors I get in a day in our logs.
Not to mention it's about good coding practice, and security. The solution can't be tweaking the open_basedir setting to make them more permissive.
Can you please take a look at it? It doesn't seem so difficult to solve.
I would require a copy of your website to pass it to the 2nd tier support.
You can use the Duplicator plugin(https://wordpress.org/plugins/duplicator/) to create a copy of your website and upload the backup on a file-sharing website (Google Drive, Dropbox, etc.), please send me the link to download the backup after.
* Please try to minimize the size of the backup file by excluding unnecessary media files or backup folders that might be in the "/wp-content/" folder.
I’ve set your next reply as private so you can provide the backup link.
Our website is a big project . It's a real pain to duplicate and reinstall.
But you don't need our website to solve the issue. The problem is obvious. Your plugin temporarely attempts to put files where it's not supposed to.
Just solve that and everything will be fine. Thanks.
I've checked again with the team and what their response is:
The file is "/wp-includes/l10n/class-wp-translation-controller.php on line 106' the line "$translation_file = realpath( $translation_file );" is inside. That is part of WordPress core files not of WPML files, so that is not related to WPML. The workaround/fix suggested is not something that we can apply. This is a server config issue and open_basedir should be set to 'none'.
Is there any way you can trace to determine if the WPML plugin is responsible for calling that function?
I just had a long conversation with our developer.
He explained that the warning has to come from a plugin that handles translations.
So it's wether Performant Translation (which we use for 3 months now), or WPML itself or one of its extensions in use (WCML, ACFML, ... ?).
Regarding the open_basedir setting, indeed, we COULD set it to none, since that's the php recommendation, to improve performance (so that there's no need to check anytime a script tries to use a file, if its location is allowed or not)... But if we do that, they also recommend disabling the risky php functions along. Unfortunately, in a WordPress environnment and with multiple plugins, we can't do the latter, since this might need these fuctions.
By the way, even if we set open_basedir to none, we won't get this specific error anymore, but will instead, get another one stating it cannot open a folder (/) as a file.
In other Word, if seting open_basedir to none could be benefic, we'll still get an error, so that's not a solution.
That's why we need to identify which plugin is responsible for this warning.
So what we'll do for now, is disabling Performant Translation, to see if the error disappears. If so, we'll ask the editor if they can do something about it.
Otherwise, we might take a look at WPML and its plugins.
Thank you for the update, I've passed your message to our 2nd tier support team.
We look forward to your message on how it goes by disabling the Performant Translation plugin.
AH01071: Got error 'PHP message: PHP Warning: realpath(): open_basedir restriction in effect.
File(/) is not within the allowed path(s): (/var/www/vhosts/******/:/tmp/) in /var/www/vhosts/******/httpdocs/webroot/wp-includes/l10n/class-wp-translation-controller.php on line 106',
referer: hidden link.......
I should be able to provide you with something more detailled soon, though.
