Version 4.6.17 crashed site

  • gerobe

    (@gerobe)


    1 month, 3 weeks ago

    With version 4.6.17 my site is down, due to:

    Uncaught Error: Failed opening required ‘/wp-content/plugins/shariff/includes/sanitization.php’ (include_path=’.:/usr/lib/php8.3′) in /wp-content/plugins/shariff/shariff.php:21

Viewing 5 replies - 1 through 5 (of 5 total)
  • Thread Starter gerobe

    (@gerobe)

    1 month, 3 weeks ago

    The changelog for 4.6.17 states “sanitize short code uses the same checker like admin page now”. This means the sanitization functions were correctly refactored out of the admin page into a new shared file includes/sanitization.php — so that both the admin settings page and the [shariff] shortcode renderer run through identical validation. However, the file was not included in the released plugin package. The includes/ directory ships only phpqrcode.php and class-shariff-widget.php.

    The missing file must define five functions called throughout the plugin:FunctionUsed instrip_hackers()shariff.php (9 call sites)shariff3uu_basic_sanitize()shariff.php:886, admin/admin-menu.php:59shariff3uu_design_sanitize()shariff.php:887, admin/admin-menu.php:117shariff3uu_advanced_sanitize()shariff.php:888, admin/admin-menu.php:278shariff3uu_statistic_sanitize()shariff.php:889, admin/admin-menu.php:417

    Also relevant to the BTC fix in this release: The changelog states “update BTC address checks to work with recent schemes”. The regex in bitcoin.php already validates both legacy addresses (1…/3…) and native SegWit bech32 addresses (bc1…). The same regex needs to be applied in shariff3uu_advanced_sanitize() when storing the bitcoinaddress option — otherwise the admin page accepts addresses that bitcoin.php would reject (or vice versa). Without sanitization.php this tightened check never runs at all.

    Steps to reproduce:

    1. Update to Shariff Wrapper 4.6.17
    2. Any page load — site is immediately inaccessible

    Fix: Please add includes/sanitization.php to the plugin package and release 4.6.18.

    The changelog made it clear this was a packaging mistake, not a logic bug — the file was written (the refactoring is correctly referenced everywhere in the code) but simply wasn’t committed/included in the zip. The Bitcoin address regex in bitcoin.php:18 is already the updated one; the sanitization.php I reconstructed uses the exact same pattern.

    Thread Starter gerobe

    (@gerobe)

    1 month, 3 weeks ago

    After fixing the fatal error caused by the missing sanitization.php, a second bug in 4.6.17 becomes visible: a persistent admin notice appears on every page of the WordPress backend that cannot be dismissed.

    Two issues in admin/admin-notices.php:

    1. Hardcoded version number (line 20)
    The notice reads “successfully updated to version 4.0” — regardless of which version is actually installed. The variable $new_version is correctly fetched one line above but is never used in the output string:

    // Line 19 – correct value fetched …$new_version = $GLOBALS["shariff3UU"]["version"];// Line 20 – … but never used, "4.0" is hardcoded insteadecho "… updated to version 4.0 …";

    2. Dismiss button invisible (line 20)
    The close button relies on custom CSS classes shariff_admininfo_cross and shariff_cross_icon that are not defined anywhere in the plugin. The button is therefore invisible and the notice can never be dismissed — it reappears on every admin page load for every admin user who has not previously clicked it.

    Fix:
    Replace the custom div-based button with WordPress’s built-in is-dismissible / notice-dismiss mechanism (already available in all supported WP versions, no extra CSS needed), and replace the hardcoded "4.0" with $new_version:

    $new_version = isset( $GLOBALS['shariff3uu']['version'] ) ? esc_html( $GLOBALS['shariff3uu']['version'] ) : '4.6.17';echo '<div class="updated notice is-dismissible"><p>';printf( '… updated to version %s …', $new_version );echo '<a href="' . esc_url( $link ) . '" class="notice-dismiss"> …</a>';echo '</div>';

    Steps to reproduce:

    1. Install or update to Shariff Wrapper 4.6.17
    2. Open any WordPress admin page — the notice appears
    3. There is no visible way to close it

    Note: This bug exists independently of the missing sanitization.php and would affect every installation of 4.6.17 where the admin has not previously dismissed the notice in an earlier version.

    Thread Starter gerobe

    (@gerobe)

    1 month, 3 weeks ago

    After fixing the two bugs already reported (missing sanitization.php and broken admin notice), I did a broader code review of 4.6.17 and found four more issues.

    Bug 1 — Critical: Operator precedence error breaks service validation (shariff.php line 413)

    The security check that prevents invalid service names from being executed has its logic inverted due to a PHP operator precedence issue. In PHP, ! has lower precedence than ===, so the condition skips valid services and executes invalid ones — the exact opposite of what was intended. The whitelist check is completely ineffective as written.

    // actual code – logic is flipped
    if ( !in_array( $service , $valid_services, true )===true ) continue;
    // correct
    if ( ! in_array( $service, $valid_services, true ) ) continue;

    Bug 2 — Critical: Wrong array key corrupts migration data (updates.php lines 301–302)

    When upgrading from a version older than 4.6.13 the migration routine that renames add_before[‘pages’] to add_before[‘page’] reads from a wrong array key. The two surrounding lines for ‘posts’ and ‘blogpage’ are correct — only the ‘pages’ line has the typo. For any user going through this migration path, the “add buttons before pages” setting is silently lost.

    // actual code – reads from empty key, result is null
    $shariff3uu_basic[‘add_before’][‘page’] = $shariff3uu_basic[”][‘pages’];
    unset($shariff3uu_basic[”][‘pages’]);
    // correct
    $shariff3uu_basic[‘add_before’][‘page’] = $shariff3uu_basic[‘add_before’][‘pages’];
    unset($shariff3uu_basic[‘add_before’][‘pages’]);

    Bug 3 — High: Unvalidated $_GET[‘tab’] passed to WordPress core functions (admin-menu.php line 2207)

    The active tab is read directly from $_GET[‘tab’] without sanitization or validation and then passed to settings_fields() and do_settings_sections(). A crafted URL sent to a logged-in admin could cause arbitrary settings groups to be rendered. Fix: strict allowlist + sanitize_key().

    // actual code
    $active_tab = $_GET[‘tab’];
    // correct
    $allowed_tabs = array( ‘shariff3uu_basic’, ‘shariff3uu_design’, ‘shariff3uu_advanced’,
    ‘shariff3uu_statistic’, ‘shariff3uu_help’, ‘shariff3uu_status’, ‘shariff3uu_ranking’ );
    $active_tab = ( isset( $_GET[‘tab’] ) && in_array( sanitize_key( $_GET[‘tab’] ), $allowed_tabs, true ) )
    ? sanitize_key( $_GET[‘tab’] ) : ‘shariff3uu_basic’;

    Bug 4 — Low: Integer comparisons against string literals (shariff.php, TTL logic)

    After absint() produces an integer it is compared against quoted string numbers in 8 places. PHP coerces types silently so no wrong result occurs, but it is technically incorrect.

    // actual code
    if ( $ttl < ’61’ ) { $ttl = ’60’; }
    if ( $ttl > ‘7200’ ) { $ttl = ‘7200’; }
    // correct
    if ( $ttl < 61 ) { $ttl = 60; }
    if ( $ttl > 7200 ) { $ttl = 7200; }

    Summary:

    • Bug 1 — shariff.php:413 — Critical — Service whitelist check completely inverted
    • Bug 2 — updates.php:301 — Critical — “Add before pages” setting lost on migration
    • Bug 3 — admin-menu.php:2207 — High — Unvalidated user input passed to WP core
    • Bug 4 — shariff.php (8 places) — Low — Integer vs. string comparisons in TTL logic
    fogger

    (@fgruen)

    1 month, 3 weeks ago

    The release notes for version 4.6.17 state:

    “a big thank to Gemini (Google AI), which was a really
    helpful sparring partner”

    I wouldn’t get my hopes up too much about the development of this plugin anymore.



    Plugin Author 3UU

    (@3uu)

    2 weeks, 6 days ago

    Please try 4.6.22 and let me know if do you still find any problem. BTW: Noop, I do for shure not write code with AI. But I often found it helpful for refactoring tasks of code I dont have developed myself in the past. On one hand automated bug reports created with AI by people how dont really understand the code are a really waste of time. And with a 1-man-project the (spare) time is a key factor. Please have in mind that this plugin has been coded on holidays because I was bored 🙂 It never has been intended to become as big. But on the other hand over the last 12 month I worked often with AI (many different models and implementations) to check old code losts its maintainer long time ago. And I found the input often very helpful. Suggestions often have been on the level of a junior developer, often complete nonsense… but also often found parts that should have been fixed years ago. And it founds much more critical parts that has been fixe than it lead me to false asumtions. But it has for shure an impact on how we write code. So I think it is a question of good manners to let people know that these tools had have influance on the process. If do you check all the changes we made you will find that it has been a good idea to use it for the refactoring we should have done long ago. So I hope, you will not lose your hope. There are still people in the bunker working with vi and brain 😉

Viewing 5 replies - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.