[moderater note: the following posts were removed from 'if you are getting blank page with Atahualpa 3.6.x (Suhosin issue)' since they are a discussion about the merits of the way the theme is written, and have no bearing on solving the Suhson issue for the existing version - ie it's all off topic]

When I refer to the 'server' I mean all the software: the server itself (Apache, Windoes etc), PHP, MySql. Just those three, with all there options, gives an unimaginable number of permutations that are not under any theme's control...

Sorry but I have to raise a slight issue with the following reasoning:

The problem is not with the Atahaulpa theme.
The problem is with the server variables.

Yes there are many 'server variables not under any theme's control' but generally (and in most cases) they are compatible which each other and the stuff that relies on them such as a theme.

If this wasn't the case the web would come to a grinding halt.

If a theme is so dependant on the server environment, then this must raise serious questions on the stability of any Wordpress based site.

I think the problem is with Atahaulpa, which is a shame.

Other themes don't allow you to include custom PHP code through the theme options. They don't have the issues because they don't have the feature.

Custom PHP code worked fine in Atahualpa as long as "Eval" was allowed in themes, which it isn't anymore.

I had to look for a replacement for Eval to keep the feature and found it in stream wrappers. Admittedly I didn't know that Suhosin would pretty much make it impossible to use stream wrappers if the user doesn't have access to the PHP config. After all, stream wrappers are a core PHP feature, Suhosin is not.

That being said, this will be fixed, by removing this feature (to add executable PHP code through the theme options) altogether.

Thanks for this explanation - it is now much clearer to me.
Atahaulpa is a great theme - long may it continue.

...and finally, I am dying of curiosity...who ever came up with the idiotic name of Suhosin?
Sounds like an Asian sauce you would put on prawns or something.

And if I have insulted anyone, I am very sorry!

Oh God. Me and my big mouth. Sorry if I offended you. Who knew that a blank page would be called after a guardian angel? I stand corrected.

The blank page is a result of the Suhosin patch being installed on SOME hosts and in SOME environments.

You DID NOT offend anyone. We are just having fun.

Quote:

Originally Posted by metapete

I think the problem is with Atahaulpa, which is a shame.

I agree with metapete on this one. Obviously Wordpress chose to ban eval() because of security issues. Then Atahualpa did not comply and instead looked for a workaround. Hence still compromising security and still going against Wordpress' will to harden the whole system.

The workaround, using stream wrapper, raises new issues when used in "high level of security" environment. That shouldn't surprise anyone as basically nothing changed, the theme still does potentially dangerous actions (but a slightly different way).

The only proper solution to this is to fully accept Wordpress' will and remove the feature as we know it. (or just go against their will to please users and to not change something which was not broken in the first place)

Btw, I would be interested to read where Wordpress explained their choice to remove support of eval() and technical solution to do this. Anyone got a link ?

PowerKiKi - see post #96

you have to ask yourself, why don't they ban plugins that use eval()?? (widget logic, exec-php...)

I agree there is a debate on "should we ban dangerous function ? why and how ?". But this is not the point. According to Flynn, that discussion already happened within Wordpress's team and they decided for us.

The issue is that Atahualpa pretend to agree with them, yet it doesn't. The whole operation is about hardened security. If BytesForAll agree with Wordpress' point of view, Atahualpa should drop the feature. Otherwise just don't do anything. But trying to "hide" security issues under several layers of code and "complex" mechanics is not a wise thing to do IMHO. It's digging a hole to fill another one.

But again, I would really like to read what Wordpress said about that. Do you, or anyone else, have a link to a reference ? googling this didn't get me anything...

I don't think it is a Atahualpa problem. When I run my site on my own server (Vertrigo) everything works fine. When I move the same site to my host provider, I got a blank page. Did the fix regarding Suhosin mentioned earlier in this thread and the problem went away.

Quote:

Originally Posted by PowerKiKi

I agree with metapete on this one. Obviously Wordpress chose to ban eval() because of security issues. Then Atahualpa did not comply and instead looked for a workaround. Hence still compromising security and still going against Wordpress' will to harden the whole system.

The workaround, using stream wrapper, raises new issues when used in "high level of security" environment. That shouldn't surprise anyone as basically nothing changed, the theme still does potentially dangerous actions (but a slightly different way).

The only proper solution to this is to fully accept Wordpress' will and remove the feature as we know it. (or just go against their will to please users and to not change something which was not broken in the first place)

Btw, I would be interested to read where Wordpress explained their choice to remove support of eval() and technical solution to do this. Anyone got a link ?

Not sure where you got the idea from that Atahualpa would "not comply" or do "potentially dangerous actions".

Atahualpa is the most downloaded theme on wordpress.org, and most likely the one with the most active installations right now. The code was looked through by numerous persons in the past years, from automattic, from wordpress.org. It went through dozens of reviews including some very in-depth ones.

If all this doesn't ring a bell, don't you think that Wordpress would take Atahualpa off the list on wordpress.org if it was doing "potential dangerous actions"?

This eval/stream wrapper issue has nothing to do with Atahualpa specifically, these formerly permitted (standard) PHP features were now globally removed by Wordpress, for all themes, along with other PHP functions, leading to a situation where themes are more limited in what they can do inside WordPress.

The WordPress team did probably not discover these PHP functions just now, it's that they made the decision that from now on themes can live with a more restricted feature set and be forced to align more closely to a particular philosophy how a theme must be structured, what features it can have, etc...

Theoretically this should result in better overall compatibility between WP/Themes/Plugins, and in better upgrade compatibility. It should also make it easier for the new voluntary review team to check themes.

Disallowing eval is easier than looking through all themes whether eval is used in a malicious way or not. However all this does of course put a burden on more advanced themes like Atahualpa to either find new ways to implement their features or to drop the feature altogether.

Flynn,

by "potentially dangerous actions", I meant eval() code which was not written by theme's authors.

Why Wordpress decided to ban eval() ?
I bet it is because eval() can be used to execute arbitrary code, which was not written by theme's authors (or crypted code via base64_decode()).

Am I wrong ? Is there another thing I am not aware of about eval() usage ?

One of Atahualpa strength is specifically to execute code written by the end-user. By definition it's going against new Wordpress rules (as long as I am not mistaken on the reason of this ban).

Btw, how do Wordpress ban this function ? Do they review the code and ban themes which include "eval" ?

Quote:

Btw, how do Wordpress ban this function ? Do they review the code and ban themes which include "eval" ?

Yes that is exactly what they do, if a theme uses eval() it is automatically rejected.

Quote:

Originally Posted by PowerKiKi

Btw, how do Wordpress ban this function ? Do they review the code and ban themes which include "eval" ?

Yes, exactly. Theme Guidelines. There is a Theme Check Plugin that incorporates most of the automated checks.

See also Theme Reviewers Mailing List in the thread "Alternatives to eval()".

Even a version of the P2 theme from Automattic, used for internal blogs on wordpress.org, got rejected because of an eval.

The Atahualpa developers then found a way to circumvent this restriction. This was clever, but then the Suhosin issue arrived. Looks like a nightmare to me.

Point is: It's not considered safe to allow input from theme option fields to be executed as raw PHP code.

My advice would be to extend the Atahualpa substitution variables with new ones for the name of the blog, the different URL paths on so on, until most needs are satisfied.

The next version, if released without the ability to enter PHP code in options, could detect all PHP code and nag the user to remove this, while suggesting some substitution variables.