Plugin hard-codes mpdf tempdir to potenitally non-writeable location

  • Resolved Ronny Adsetts

    (@ronnyadsetts)


    4 months, 2 weeks ago

    There’s a minor problem with this plugin whereby it hard-codes the location of the mpdf tmp dir as a sub-dir of the plugin install dir and proceeds to use it without checking it exists.

    In a locked-down WordPress install, the plugin dirs are not writable.

    The mpdf manual recommends using a non-default tmp dir location:

    https://mpdf.github.io/installation-setup/folders-for-temporary-files.html

    It’s possible using the “cmplz_mpdf_args” filter to specify the location of the mpdf temp dir rather than using the default “complianz-gdpr/assets/vendor/mpdf/mpdf/tmp” location using something like this:

    function ainet_cmplz_mpdf_args( $args ) {

       // Set the tempdir location as by default it uses the vendor dir.
       $args[ 'tempDir' ] = get_temp_dir();

       return $args;
    }
    add_filter( 'cmplz_mpdf_args', 'ainet_cmplz_mpdf_args', 10, 1 );

    There is however a cmplz tmp dir cleanup job that calls recursively_clear_directory($dir) with $dir = cmplz_path . ‘/assets/vendor/mpdf/mpdf/tmp’.

    When the plugin dirs are not writeable, the temp dir does not exist and this gets logged (filesystem location sanitised):

    PHP Warning:  scandir(/xxxxx/wp-content/plugins/complianz-gdpr//assets/vendor/mpdf/mpdf/tmp): Failed to open directory: No such file or directory in /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php on line 2040
    Warning: scandir(/xxxxx/wp-content/plugins/complianz-gdpr//assets/vendor/mpdf/mpdf/tmp): Failed to open directory: No such file or directory in /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php on line 2040
    PHP Warning:  scandir(): (errno 2): No such file or directory in /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php on line 2040
    Warning: scandir(): (errno 2): No such file or directory in /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php on line 2040
    PHP Fatal error:  Uncaught TypeError: array_diff(): Argument #1 ($array) must be of type array, bool given in /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php:2040
    Stack trace:
    #0 /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php(2040): array_diff()
    #1 /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php(2021): cmplz_document->recursively_clear_directory()
    #2 /xxxxx/wp-content/plugins/complianz-gdpr/proof-of-consent/class-proof-of-consent.php(293): cmplz_document->generate_pdf()
    #3 /xxxxx/wp-includes/class-wp-hook.php(324): cmplz_proof_of_consent->generate_cookie_policy_snapshot()
    #4 /xxxxx/wp-includes/class-wp-hook.php(348): WP_Hook->apply_filters()
    #5 /xxxxx/wp-includes/plugin.php(565): WP_Hook->do_action()
    #6 phar:///usr/local/bin/wp/vendor/wp-cli/cron-command/src/Cron_Event_Command.php(361): do_action_ref_array()
    #7 phar:///usr/local/bin/wp/vendor/wp-cli/cron-command/src/Cron_Event_Command.php(284): Cron_Event_Command::run_event()
    #8 [internal function]: Cron_Event_Command->run()
    #9 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Dispatcher/CommandFactory.php(100): call_user_func()
    #10 [internal function]: WP_CLI\Dispatcher\CommandFactory::WP_CLI\Dispatcher\{closure}()
    #11 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Dispatcher/Subcommand.php(497): call_user_func()
    #12 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php(441): WP_CLI\Dispatcher\Subcommand->invoke()
    #13 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php(464): WP_CLI\Runner->run_command()
    #14 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Runner.php(1295): WP_CLI\Runner->run_command_and_exit()
    #15 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/WP_CLI/Bootstrap/LaunchRunner.php(28): WP_CLI\Runner->start()
    #16 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/bootstrap.php(83): WP_CLI\Bootstrap\LaunchRunner->process()
    #17 phar:///usr/local/bin/wp/vendor/wp-cli/wp-cli/php/wp-cli.php(32): WP_CLI\bootstrap()
    #18 phar:///usr/local/bin/wp/php/boot-phar.php(20): include('...')
    #19 /usr/local/bin/wp(4): include('...')
    #20 {main}
      thrown in /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php on line 2040
    Fatal error: Uncaught TypeError: array_diff(): Argument #1 ($array) must be of type array, bool given in /xxxxx/wp-content/plugins/complianz-gdpr/documents/class-document.php:2040

    Would it be possible to either have a hook to set the temp dir location or have recursively_clear_directory() use the mpdf-configured temp dir location?

    Thanks.

    Ronny

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Support leonardoiub

    (@leonardotamion)

    Hello Ronny,

    thanks for your message and the complete explanation.

    I opened a task for the dev team and I’ll let you know as soon as they’ll reply.

    Could you please send me the url of the website for which you’re using Complianz? Or just one of them if you manage multiple websites.

    Thread Starter Ronny Adsetts

    (@ronnyadsetts)

    Of course. This site in particular is https://www.bradymemorymap.co.uk/

    Thanks.

    Ronny

    Plugin Support leonardoiub

    (@leonardotamion)

    Hello,

    thanks for the information.

    The check has been scheduled for the 25th-26th of July, I’ll let you know as soon as the dev team will send me an update.

    Thread Starter Ronny Adsetts

    (@ronnyadsetts)

    Hi,

    Any update to this?

    Thanks.

    Plugin Support leonardoiub

    (@leonardotamion)

    Hello,

    unfortunately we don’t have an update about it, we’ll inform you as soon as the dev team will release an update.

    Thanks for your patience

    Plugin Support leonardoiub

    (@leonardotamion)

    Hello,

    could you please update our plugin, delete the website cache and check if the issue is still there?

    Thread Starter Ronny Adsetts

    (@ronnyadsetts)

    There doesn’t appear to be an update available. Latest version is v7.1.0.

    Plugin Support daniub

    (@daniub)

    Hi @ronnyadsetts, are you a Premium/PRO user?

    In this case, due to WP guidelines, feel free to write us to [email protected]

    In that case we can give you a testable version of the premium plugin to solve this issue.

    Thank you for your cooperation

    Thread Starter Ronny Adsetts

    (@ronnyadsetts)

    Not a Premium/Pro user. If I was, I wouldn’t be posting for support here would I?

    Plugin Support daniub

    (@daniub)

    Thank you for your confirmation,

    we really want to be compliant with WP Guidelines, and we wanted to be sure.

    We’ll try to fix this in the free version of the plugin and we’ll keep you posted

    Thread Starter Ronny Adsetts

    (@ronnyadsetts)

    OK. Thanks for the update.

    Look forward to seeing a fix as the periodic stack-traces are a bit annoying.

    Plugin Support leonardoiub

    (@leonardotamion)

    Hi,

    the dev team told us the possible solution related to the issue you pointed out, we’re evaluating how to send you all the steps to follow together with the testable version of our plugin.

    Plugin Support leonardoiub

    (@leonardotamion)

    Hello,

    thanks for your patience.

    Here you can download the testable version of the free plugin, below you’ll find all the steps you can follow to test the solution.

    Testing the Solution, Steps Taken to Test the Applied Solution

    Install the Plugin

    • Download and install the plugin on the WordPress site.

    Generate Proof of Consent

    • On the frontend of the website, interact with the cookie consent banner to accept cookies and generate proof of consent entries.

    Generate Proof of Consent PDF

    • Go to Complianz > Tools > Record of Consent in the WordPress admin panel.
    • Click on the Generate button to create a PDF document of the consent records.

    Normal Installation Testing

    • Default Temporary Directory (tempDir) Handling:
      • Verify that the mPDF cache is generated in a subdirectory under wp-content/uploads/complianz/snapshots/tmp.
      • After generating the PDF, confirm that the default temporary directory is automatically deleted, ensuring no leftover temporary files.

    Locked Installations Testing

    • Custom Temporary Directory (tempDir) Handling:
      • For installations with restricted directory permissions (“locked installations”):
        • Use the filter cmplz_mpdf_args to set a custom tempDir path.
        • Use the filter described in the section below “Test using a custom tempDir…”
          • Create a new mu-plugin
          • Add the code taking care to pass a new path to the $args[‘tempDir’]
        • Ensure that temporary mPDF files are correctly created in the specified custom path.
        • Verify that these temporary files are deleted after the PDF generation, preventing storage of unnecessary temporary data.

    Note

    Test using a custom tempDir, the attached snippet filters the cmplz_mpdf_args arguments:

    <?php
    /**
    * Plugin Name: Override CMPLZ mPDF tempdir
    * Description: Override the tempdir for mPDF to the uploads directory.
    */
    // Basic security, prevents file from being loaded directly.
    defined('ABSPATH') or die("you do not have access to this page!");
    if (!has_filter('cmplz_mpdf_args', 'override_cmplz_mpdf_args')) {
    function override_cmplz_mpdf_args($args)
    {
    // Set the tempdir to the uploads directory
    $uploads = wp_upload_dir();
    $upload_dir = $uploads['basedir'];
    $new_temp_dir = $upload_dir . '/tmp-mpdf';
    $args['tempDir'] = $new_temp_dir;

    return $args;
    }
    add_filter('cmplz_mpdf_args', 'override_cmplz_mpdf_args', 10, 1);
    }
    Thread Starter Ronny Adsetts

    (@ronnyadsetts)

    This appears to work as expected. I wasn’t able to verify the creation of the tmp dir. I think it’s removed in the recursively_clear_directory() function. Perhaps it shouldn’t be – it’s needed every time a PDF is created.

    I’ll update the ticket if I find anything else but this looks fixed to me.

    Thanks.

    Plugin Support leonardoiub

    (@leonardotamion)

    Hello,

    thanks a lot for your patience and your feedback.

    We’ll be at your disposal if you’ll need more help in the future.

    Have a nice day!

Viewing 15 replies - 1 through 15 (of 15 total)
  • You must be logged in to reply to this topic.