Form injection and gzipping

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Form injection and gzipping

Eric A. Meyer
Howdy,

    So back in November, Jeremy Dunck finally tracked down[1] the
cause of the last major bug in WP-Gatekeeper[2], where it wouldn't
auto-add itself to comment forms on many people's sites.  The
problem, it seems, is that the attempt to auto-add the challenge
happens after the page is gzipped when that option is turned on, so
the regexps fail.  (Obviously!)  So if gzipping is enabled, as it is
for most people, the auto-injection won't work.  Manual injection,
where the user adds a PHP command to add the challenge to their form
template, works whether gzipping is enabled or not.
    So what I'm wondering is if this fixed in WP2, or if there's a way
I could alter the order of regexing and zipping for WP1.5 and up.

[1]
http://dunck.us/anabasis/archives/2005/11/05/details-on-wp-gatekeeper-15-rc4s-auto-injection-bug/
[2] http://meyerweb.com/eric/tools/wordpress/wp-gatekeeper.html

--
Eric A. Meyer  ([hidden email])
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

David House
On 22/02/06, Eric A. Meyer <[hidden email]> wrote:
>     So what I'm wondering is if this fixed in WP2, or if there's a way
> I could alter the order of regexing and zipping for WP1.5 and up.

Why on earth are you using regexes to insert something into WP pages?
Can't you use a filter like comment_form?

--
-David House, [hidden email], http://xmouse.ithium.net
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Eric A. Meyer
At 6:31 PM +0000 2/22/06, David House wrote:
>On 22/02/06, Eric A. Meyer <[hidden email]> wrote:
>>      So what I'm wondering is if this fixed in WP2, or if there's a way
>>  I could alter the order of regexing and zipping for WP1.5 and up.
>
>Why on earth are you using regexes to insert something into WP pages?
>Can't you use a filter like comment_form?

    I'm going to assume that you read the Gatekeeper page and
understand why I'm trying to insert something into the form, and that
I'm trying to do so in a specific place.
    I use regexes because I couldn't find another way to do what I
wanted to do; none of the hooks I studied (and there were a lot) did
the right thing.  If there is a better way, I'm certainly open to
using it.  I'll likely need some hand-holding to get started on that
better path, though.

--
Eric A. Meyer  ([hidden email])
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Andy Skelton
In reply to this post by Eric A. Meyer
On 2/22/06, Eric A. Meyer <[hidden email]> wrote:
>     So back in November, Jeremy Dunck finally tracked down[1] the
> cause of the last major bug in WP-Gatekeeper[2], where it wouldn't
> auto-add itself to comment forms on many people's sites.  The
> problem, it seems, is that the attempt to auto-add the challenge
> happens after the page is gzipped when that option is turned on, so
> the regexps fail.  (Obviously!)  So if gzipping is enabled, as it is
> for most people, the auto-injection won't work.  Manual injection,

To fix this, you have to understand that output buffers are FILO,
meaning that if you start your buffer first, it will be the last one
to be processed. Your buffer is started in the plugin. Examine
wp-blog-header.php and you'll see that gzip_compression()'s buffer is
started after all of wp-config has run--long after your plugin has
started its buffer.

There's only one hook after gzip_compression, and it's template_redirect.
Try this:

add_action('template_redirect', 'ob_start', 'gatekeeper_comment_form_filter');

Andy
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Jeff Minard
Andy Skelton wrote:
> There's only one hook after gzip_compression, and it's template_redirect.
> Try this:
>
> add_action('template_redirect', 'ob_start', 'gatekeeper_comment_form_filter');

wp_header and wp_footer are good place to use as well, no?

Jeff
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Mark Jaquith
On Feb 24, 2006, at 11:54 AM, Jeff Minard wrote:

> wp_header and wp_footer are good place to use as well, no?

Not necessarily... http://wphooks.flatearth.org/type/theme-dependant/

you never know which ones a theme is going to support.
--
Mark Jaquith
http://txfx.net/


_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

David Chait
jeez.  this came up back around 1.5, as wp_footer was the 'best' place to
hook for certain things.  wouldn't it be nice to require themes to call a
base set of actions/filters? ;)

-d

----- Original Message -----
From: "Mark Jaquith" <[hidden email]>
To: <[hidden email]>
Sent: Saturday, February 25, 2006 12:19 AM
Subject: Re: [wp-hackers] Form injection and gzipping


| On Feb 24, 2006, at 11:54 AM, Jeff Minard wrote:
|
| > wp_header and wp_footer are good place to use as well, no?
|
| Not necessarily... http://wphooks.flatearth.org/type/theme-dependant/
|
| you never know which ones a theme is going to support.
| --
| Mark Jaquith
| http://txfx.net/
|
|
| _______________________________________________
| wp-hackers mailing list
| [hidden email]
| http://lists.automattic.com/mailman/listinfo/wp-hackers
|

_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Mark Jaquith
On Feb 25, 2006, at 12:48 AM, David Chait wrote:

> jeez.  this came up back around 1.5, as wp_footer was the 'best'  
> place to
> hook for certain things.  wouldn't it be nice to require themes to  
> call a
> base set of actions/filters? ;)

Requirements and enforcement of requirements are two very different  
things. :-)

--
Mark Jaquith
http://txfx.net/


_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Craig-16
Mark Jaquith said:
Requirements and enforcement of requirements are two very different
things. :-)

What about API keys a la Akismet?

Craig.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Andy Skelton
On 2/27/06, Craig <[hidden email]> wrote:
> What about API keys a la Akismet?

Moose, are you joking? Require themes to apply for an API key before
they'll work in general WordPress installations? What about tweaking?

Consider it a requirement that all publicly distributed themes use the
wp_head and wp_footer tags or actions in the appropriate places. The
consequences are plugin breakage and meteorites falling on the heads
of offending designers.

I still haven't been granted the smite_designer capability so I can't
be in charge of enforcement. :-)

Andy
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Craig-16
On 2/27/06, Andy Skelton <[hidden email]> wrote:
>
>
> Moose, are you joking?


Just thinking (sort of) out loud, Andy! :^)

Maybe somebody will code a utility that will check themes and plugins for
"accepted WP norms" and advise users on how compliant the theme / plugin is
in relation to those best practises.

Craig.
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Eric A. Meyer
In reply to this post by Andy Skelton
At 7:00 AM -0600 2/24/06, Andy Skelton wrote:

>To fix this, you have to understand that output buffers are FILO,
>meaning that if you start your buffer first, it will be the last one
>to be processed. Your buffer is started in the plugin. Examine
>wp-blog-header.php and you'll see that gzip_compression()'s buffer is
>started after all of wp-config has run--long after your plugin has
>started its buffer.

    That seems kind of silly.  Why would gzipping happen before all
the other output buffers?  Why wouldn't it be the last thing done
before the page is sent off?

>There's only one hook after gzip_compression, and it's template_redirect.
>Try this:
>
>add_action('template_redirect', 'ob_start', 'gatekeeper_comment_form_filter');

    Nope, didn't work with gzip enabled.  It worked just fine with
gzip turned off, which is the usual experience.  Was I supposed to
comment out the "ob_start('gatekeeper_comment_form_filter');" line,
or no?  And should the first action I add, the one for _form_scan, be
similarly hooked to template_redirect, or no?  I didn't see any
difference in behavior either way, but maybe I missed the magic
combination that would make it all work.

--
Eric A. Meyer  ([hidden email])
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Andy Skelton
In reply to this post by Andy Skelton
On 2/27/06, Eric A. Meyer <[hidden email]> wrote:
> >add_action('template_redirect', 'ob_start', 'gatekeeper_comment_form_filter');

I'm sorry, I had the right idea here but the wrong add_action syntax.
Must have been out of my mind :-)

Remove all ob_start calls and do this:

add_action('template_redirect', 'register_gatekeeper_buffer');
function register_gatekeeper_buffer() {
 ob_start('gatekeeper_comment_form_filter');
}
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers
Reply | Threaded
Open this post in threaded view
|

Re: Form injection and gzipping

Eric A. Meyer
At 9:21 PM -0600 2/27/06, Andy Skelton wrote:

>add_action('template_redirect', 'register_gatekeeper_buffer');
>function register_gatekeeper_buffer() {
>  ob_start('gatekeeper_comment_form_filter');
>}

    SUCCESS!  Thank you, sir.  Thank you most kindly.  I've already
released Gatekeeper 1.5 RC5 and will blog it later today.
    I still think it's strange to do the gzipping before all but one
other action.  Anyone have a good explanation why that's a good idea,
as opposed to a bad one?

--
Eric A. Meyer  ([hidden email])
Principal, Complex Spiral Consulting   http://complexspiral.com/
"CSS: The Definitive Guide," "CSS2.0 Programmer's Reference,"
"Eric Meyer on CSS," and more    http://meyerweb.com/eric/books/
_______________________________________________
wp-hackers mailing list
[hidden email]
http://lists.automattic.com/mailman/listinfo/wp-hackers