[wp-hackers] Two new, long-overdue plugins to make your wordpress life a little easier...

Otto otto at ottodestruct.com
Fri Oct 28 21:57:55 UTC 2011


On Fri, Oct 28, 2011 at 4:23 PM, Marcus Pope <Marcus.Pope at springbox.com> wrote:
> Otto, it's not that simple - changing WP_SITEURL and WP_HOME doesn't fix the problem, wordpress admin will still pull content from other sources.  Additionally, a problem you have ignored from email 1, and WP_SITEURL and WP_HOME are not even evaluated in Multisite setups. They are ignored.  This does not work.  The effort I put into my plugin shows what is required to make it work for 99% of the problem domain and it only works in single site installs.

Multisite is indeed special, I grant you that. However, it's quite
easy to make yourself a custom sunrise.php file and use that to fiddle
with the multisite variables all you like.


> 1.  You still don't get the export content issue.  If you host your content (different from exporting it away from your host) you can use root-relative urls 100% of the time no exceptions, every browser every mobile device will work, it's part of the http protocol standard.  When you export your content, like an rss feed, or email, or xml export, you can then process the content, and only then, which will save you all this hassle of dns tricks, search / replace scripts, wp filter and constant hacks.

Okay, I see what you're saying. But here's the thing: If you have
content with absolute URLs in it, then you never need to process the
content for "exporting" at all. It just works. Absolute URLs work
everywhere. That's sorta the point.


> 2. You solve the export problem with one function.  You don't have to change the database, you feed what is in the database through that really simple filter and you're done for that half of your content.  As it stands wordpress filters all of your url content in every instance of its usage.  You don't need to keep those absolute urls in your database I promise millions of websites do it without any issues.

I don't "need" to keep the absolute URL in the database. I *WANT* to
keep it there. Absolute URLs are better than relative URLs. They are
direct links to what they are supposed to link to. They are
unambiguous and not open to interpretation based on the context in
which they are being displayed. That's why they're better.

WordPress doesn't filter my absolute URLs at all. It has no need to do
so, because they are absolute and unchanging. They pass right through
and come out on the webpage, in my feed, pushed to my
social-networks... everywhere they go, they point to the same place
and they-just-work.


> 3. Administering sites from multiple URLs is only part of the equation, and just because it doesn't make sense to you doesn't mean that it is stupid or shouldn't happen due to very legitimate reasons in reality. ...

As Mika pointed out, yours is a fringe use case. And there's nothing
wrong with that, fringe cases are commonplace, but they are all
different and not-the-norm. Having a plugin to help your use case work
better is great. But it should probably remain a plugin.


> 4. If you think convincing the military, pci compliant organizations and the rest is just as simple as standing up and shouting you're stupid, ...

While my security clearance hasn't been renewed in a while, I did have
one and I have worked on DoD funded projects. So I do know wherefrom I
speak here. And yes, telling a top-brass General that the people he's
been listening to up-until-now are idiots was indeed a rather fun
experience.


> the extreme necessary value and purpose of why their NATS are setup that way. It is NOT STUPID, it's IMPORTANT.  These are not mistakes they are solutions to a world of security problems and will not go away because you don't like it.

No, they will go away because a) they rarely solve anything, b)
usually they're implemented badly (often, yes, by idiots), and c) they
cause incompatibility problems up the wazoo.

Look, I get it. I've been there in that world. I've been through that
living corporate hell and back again. In the long run, you're not
thinking politically enough. I know, we just want to be developers,
but the bottom line is that when an organization makes it harder for
you to do your job, and justifies it with nonsense excuses (there is
NO valid security related reason to set up a NAT in the way you
described. Internal DNS resolution is a totally solved freakin'
problem), then you might consider re-evaluating your relationship with
them. Sometimes you have to drop customers, or get customers to see
the light of day. It can suck, but it can also be rewarding.


> Other "sucky" frameworks do not violate these principles...

That depends on your definition of "principles". I would argue that
their adherence to a rigid set of fundamentally incorrect and ill
conceived notions is what makes them suck.

There's good ideas, and there's bad ideas. I reserve judgment on any
idea *to myself*. I judge. I do not assume that 1000 other people
doing it one way means that they are doing it the right way.


> 5. What security issue exists if I access wp-admin from 127.0.0.1 (or its production equivalent)?  (the answer is there isn't one.)

If you access a site from an incorrect wrong URL, then there is the
possibility of having your admin cookies snatched unless you're in a
tightly controlled environment. Come and log into your wp-admin from
my network, even with SSL, and watch me log in as you immediately
afterwards. Unless you have your domain tightly controlled and secured
with an SSL certificate, which you can verify, you can never be sure
about a potential man-in-the-middle attack.


> You try to say it won't work because we'd have to process the crap out of the data, but then you say the proper way to do it is to process the crap out of the data when you move environments.

Yes, that is exactly correct. Because you shouldn't be moving between
environments that bloody often.


> You try to say with rss feeds (a clearly defined entry and exit point in the wordpress core) that it would break, yet we currently process the crap out of those absolute urls in rss feeds as it is to prevent it from breaking with absolute urls.

What? Where? Why? Absolutely NO processing of my URLs happens in any
of my feeds. That violates the whole concept.


> The ultimate case is there isn't a scenario in which relative root urls are deficient to absolute urls

Relative URLs are deficient to Absolute URLs because Absolute URLs
actually work, and relative ones do not work at all outside of the
webpage context. How can you possibly be still getting this so
fundamentally wrong?

-Otto


More information about the wp-hackers mailing list