bigcommerce / bigcommerce-for-wordpress

A headless commerce integration for WordPress, powered by BigCommerce
https://www.bigcommerce.com/wordpress/
GNU General Public License v2.0
110 stars 48 forks source link

Issues Updating and Syncing WordPress Profile and Password changes to BigCommerce #462

Closed tfanelli closed 3 months ago

tfanelli commented 3 months ago

Background

Recently, an issue was encountered while running a WordPress site integrated with the BigCommerce plugin. The site experienced a PHP Fatal Error due to the unavailability of the tmpfile() function. This error affected the regular operation of the BigCommerce plugin, potentially disrupting the site's e-commerce functionalities. The issue specifically caused problems updating a users profile information and password in WordPress and properly syncing them back to BigCommerce.

The tmpfile() function is commonly used to create temporary files, a critical requirement for specific plugins, including BigCommerce. Turning off this function can prevent these plugins from operating correctly, leading to errors and a degraded user experience.

Error

Below is the error that leads us to the actual problem in the BigCommerce plugin:

PHP Fatal error: Uncaught Error: Call to undefined function Bigcommerce\Api\tmpfile() in wp-content/plugins/bigcommerce/.../Connection.php

Findings

  1. Current PHP Configuration

    • Upon investigation, we found that the global PHP tmpfile() function is currently disabled in the PHP environment. This is due to its inclusion in the disable_functions directive within the php.ini file. This specifically happens with the default configuration of Cloudways, but it is perhaps affecting other hosting providers as well.

In Cloudways the disable_functions directive in your PHP configuration includes the following functions:

getmyuid, passthru, leak, listen, diskfreespace, tmpfile, link, dl, system, highlight_file, source, show_source, fpassthru, virtual, posix_ctermid, posix_getcwd, posix_getegid, posix_geteuid, posix_getgid, posix_getgrgid, posix_getgrnam, posix_getgroups, posix_getlogin, posix_getpgid, posix_getpgrp, posix_getpid, posix_getppid, posix_getpwuid, posix_getrlimit, posix_getsid, posix_getuid, posix_isatty, posix_kill, posix_mkfifo, posix_setegid, posix_seteuid, posix_setgid, posix_setpgid, posix_setsid, posix_setuid, posix_times, posix_ttyname, posix_uname, proc_open, proc_close, proc_nice, proc_terminate, escapeshellcmd, ini_alter, popen, pcntl_exec, socket_accept, socket_bind, socket_clear_error, socket_close, socket_connect, symlink, posix_geteuid, ini_alter, socket_listen, socket_create_listen, socket_read, socket_create_pair, stream_socket_server, shell_exec, exec, putenv

  1. Security Implications

    • Disabling functions like tmpfile() is often done to reduce potential security risks, particularly in shared hosting environments. However, disabling such functions on a dedicated server is not essential and can limit the functionality of specific PHP applications and WordPress plugins.
  2. Impact

    • The recent PHP Fatal Error in the BigCommerce plugin was directly linked to the disabled tmpfile() function. This caused the plugin to fail and posed a risk to the stability and functionality of the entire WordPress site.

Recommendations

  1. Enable the tmpfile() Function:

    • Access the php.ini file on your server.
    • Locate the disable_functions directive.
    • Remove tmpfile from the list of disabled functions.
    • Save the changes and restart your web server to apply them.

Testing

After enabling the tmpfile() function, perform a test to ensure it functions as expected within your WordPress site, particularly in the BigCommerce plugin. This can be done by running a PHP script that checks for the function's availability or monitoring the site for errors.

tfanelli commented 3 months ago

I will be making a PR for to update the requirements in the ReadMe file, per my discussion with the BigCommerce team.