Skip Navigation

This is the technical support forum for WPML - the multilingual WordPress plugin.

Everyone can read, but only WPML clients can post here. WPML team is replying on the forum 6 days per week, 22 hours per day.

Sun Mon Tue Wed Thu Fri Sat
- 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 9:00 – 13:00 -
- 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 14:00 – 18:00 -

Supporter timezone: Europe/Tirane (GMT+02:00)

Tagged: 

This topic contains 22 replies, has 2 voices.

Last updated by Marsel Nikolli 4 months, 2 weeks ago.

Assisted by: Marsel Nikolli.

Author Posts
June 3, 2024 at 8:21 am #15696750

T4ng

Hi,

We're experiencing an issue with WPML.

We have multiple warnings in our logs similar to this one :

File(/) is not within the allowed path(s): (/var/www/:/tmp/) in /var/www/wp-includes/l10n/class-wp-translation-controller.php on line 106'

The line responsible for the warning is:

$translation_file = realpath( $translation_file );

It seems that there's no check that the $translation_file variable is indeed a filepath within the website filesystem.

Could you fix the problem with a solution like this that checks if the file is within the WP installation path and checks its existence before trying to guess the path using the realpath function:

// Normalize the translation_file path and the WordPress root path
$normalized_wp_root= wp_normalize_path( ABSPATH );
$normalized_path = wp_normalize_path($translation_file );

// Check if the given path is within the WordPress filesystem
if (strpos($normalized_path, $normalized_wp_root) === 0) {
// Check if the path points to a file
if (is_file($normalized_path)) {
$translation_file = realpath( $translation_file );
} else {
$translation_file = false;
}

}else {
$translation_file = false;
}

June 3, 2024 at 10:08 am #15697292

Marsel Nikolli

Hi,

Thank you for contacting WPML Support, I will gladly help you.

1) I would suggest initially checking the open_basedir setting on the server side.

2) After, check if the issue happens in a minimal setup, meaning:

- set a default WP theme
- keep active WPML, WCML plugins, and must-have plugins
- disable all the other plugins

After, check if the issue persists.

3) Please note that our Support Policy does not cover custom coding, the code below is just an example with minor changes, which we suggest testing in a staging environment:


// Normalize the translation_file path and the WordPress root path
$normalized_wp_root = wp_normalize_path(ABSPATH);
$normalized_path = wp_normalize_path($translation_file);

// Check if the given path is within the WordPress filesystem
if (strpos($normalized_path, $normalized_wp_root) === 0) {
    // Check if the path points to a file
    if (is_file($normalized_path)) {
        // Securely resolve the real path
        $translation_file = realpath($normalized_path);
    } else {
        // Set to false if not a valid file
        $translation_file = false;
        // Optionally log or handle the error when the file does not exist
        error_log("WPML Translation error: File does not exist at path '{$normalized_path}'.");
    }
} else {
    // Set to false if the path is outside the WordPress installation
    $translation_file = false;
    // Optionally log or handle the error for security or misconfiguration issues
    error_log("WPML Translation error: File path '{$normalized_path}' is outside the allowed WordPress directory.");
}

// Continue with your logic, ensuring $translation_file is checked for validity
if ($translation_file !== false) {
    // Process the valid translation file
} else {
    // Handle the case where no valid file was found or set
}

---
* Please note that the code provided might not work or even break your website, so in case things still don’t work or in case you feel that you need more help with this, we recommend that you hire a developer or a WPML contractor (https://wpml.org/contractors).

Kind regards,
Marsel

June 3, 2024 at 10:31 am #15697402

T4ng

Hi,

Thanks for your reply.

We've very aware of our server setup, which is set to not accept files creation in the server's root folder, since it's a major security isssue.

Yes, these issues occur with only WPML plugins enabled, and default theme.

Obviously, the code you provide is ours. So yes, it works.

Now, do you consider adding it to WPML's code base? Or are you suggesting that we add it manually?
We re not willing to patch WPML's code upon every plugin update, especially when it's about fixing a security issue. The fix should rather be implemented directly in your code base.

Thank you

June 3, 2024 at 3:14 pm #15698386

Marsel Nikolli

Hi,

Thank you for the update, I've escalated the issue to our developer team for further troubleshooting.

I'll let you know as soon as I have an update from the team.

Kind regards,
Marsel

June 4, 2024 at 10:16 am #15701049

T4ng

Thanks for keeping me posted

June 5, 2024 at 7:42 am #15705374

Marsel Nikolli

Hi,

I am still waiting on the feedback from the team, I'll update as soon as I have news.

Regards,
Marsel

June 19, 2024 at 7:50 am #15753654

T4ng

Hi,

It's been over two weeks I noticed you with this issue.
I think the request is legitimate.
You should seen how many such errors I get in a day in our logs.
Not to mention it's about good coding practice, and security. The solution can't be tweaking the open_basedir setting to make them more permissive.

Can you please take a look at it? It doesn't seem so difficult to solve.

Thank you.

June 19, 2024 at 8:43 am #15754044

Marsel Nikolli

Hi,

I would require a copy of your website to pass it to the 2nd tier support.

You can use the Duplicator plugin(https://wordpress.org/plugins/duplicator/) to create a copy of your website and upload the backup on a file-sharing website (Google Drive, Dropbox, etc.), please send me the link to download the backup after.

* Please try to minimize the size of the backup file by excluding unnecessary media files or backup folders that might be in the "/wp-content/" folder.

I’ve set your next reply as private so you can provide the backup link.

Thank you,
Marsel

June 19, 2024 at 8:55 am #15754206

T4ng

Our website is a big project . It's a real pain to duplicate and reinstall.
But you don't need our website to solve the issue. The problem is obvious. Your plugin temporarely attempts to put files where it's not supposed to.
Just solve that and everything will be fine. Thanks.

June 19, 2024 at 1:10 pm #15755928

Marsel Nikolli

Hi,

I've checked again with the team and what their response is:

The file is "/wp-includes/l10n/class-wp-translation-controller.php on line 106' the line "$translation_file = realpath( $translation_file );" is inside. That is part of WordPress core files not of WPML files, so that is not related to WPML. The workaround/fix suggested is not something that we can apply. This is a server config issue and open_basedir should be set to 'none'.

Is there any way you can trace to determine if the WPML plugin is responsible for calling that function?

June 20, 2024 at 3:01 pm #15764873

T4ng

Hi,

I just had a long conversation with our developer.

He explained that the warning has to come from a plugin that handles translations.
So it's wether Performant Translation (which we use for 3 months now), or WPML itself or one of its extensions in use (WCML, ACFML, ... ?).

Regarding the open_basedir setting, indeed, we COULD set it to none, since that's the php recommendation, to improve performance (so that there's no need to check anytime a script tries to use a file, if its location is allowed or not)... But if we do that, they also recommend disabling the risky php functions along. Unfortunately, in a WordPress environnment and with multiple plugins, we can't do the latter, since this might need these fuctions.

By the way, even if we set open_basedir to none, we won't get this specific error anymore, but will instead, get another one stating it cannot open a folder (/) as a file.

In other Word, if seting open_basedir to none could be benefic, we'll still get an error, so that's not a solution.

That's why we need to identify which plugin is responsible for this warning.

So what we'll do for now, is disabling Performant Translation, to see if the error disappears. If so, we'll ask the editor if they can do something about it.
Otherwise, we might take a look at WPML and its plugins.

June 20, 2024 at 3:25 pm #15765157

Marsel Nikolli

Hi,

Thank you for the update, I've passed your message to our 2nd tier support team.
We look forward to your message on how it goes by disabling the Performant Translation plugin.

Regards,
Marsel

June 21, 2024 at 6:58 am #15771686

Marsel Nikolli

Hi,

Given that the plugin Performant Translations has been included in the WordPress core since the v6.5 release (https://make.wordpress.org/core/2023/11/08/merging-performant-translations-into-core/), the 2nd tier support team asked if it's possible having a full stack trace to determine if our plugin is responsible for the issue.

Regards,
Marsel

June 24, 2024 at 11:46 am #15806500

T4ng

Hi,

Sure.

This is what we have for now:

AH01071: Got error 'PHP message: PHP Warning: realpath(): open_basedir restriction in effect.
File(/) is not within the allowed path(s): (/var/www/vhosts/******/:/tmp/) in /var/www/vhosts/******/httpdocs/webroot/wp-includes/l10n/class-wp-translation-controller.php on line 106',
referer: hidden link.......

I should be able to provide you with something more detailled soon, though.

June 24, 2024 at 12:01 pm #15806680

Marsel Nikolli

Hi,

thanks for the update.

Please if possible use pastebin.com to share the logs.

Looking forward to your reply,
Marsel

The topic ‘[Closed] Multiple open_baserdir warnings’ is closed to new replies.