[OJS 3.2.0.0] Unable to upgrade plugins through the interface: 500 / open_basedir restriction, manually upgrade plugins?

I have a couple of issues upgrading a plugin

1. When I goto Administration → Settings Wizard → Plugins → Plugin Gallery I see there is e.g an update available for [ORCiD Profile] - Can be upgraded
   If I click on that plugin a dialog pops-up with the button [Upgrade]
   The another popup appears with [Are you sure you wish to upgrade this plugin?]
   If I click okay nothing happens and in the browser’s console window I see this error appear
   Failed to load resource: the server responded with a status of 500 ()
   it tried to goto https://mywebsitehere.org/ojs/$$$call$$$/grid/plugins/plugin-gallery-grid/upgrade-plugin?rowId=23 and that url returns {“status”:false,“content”:"",“elementId”:“0”,“events”:null}

2. When I try the other route:
   Administration → Settings Wizard → Plugins → Installed Plugins → ORCID Profile Plugin → [Upgrade]
   I see the [Upgrade Plugin] dialog
   I select the latest plugin file orcidProfile-v1_1_2-4.tar.gz and click [Save]
   Then I get this error:
   Notification: The tar command is not available. Please correctly configure it in your config.inc.php".
   It is actually properly configured in the config.inc.php,
   ; tar (used in backup plugin, translation packaging)
   tar = /usr/bin/tar
   however if I check in the server log it seems that is has no access to it.

AH01071: Got error ‘PHP message: PHP Warning: file_exists(): open_basedir restriction in effect. File(/usr/bin/tar) is not within the allowed path(s): (/var/www/vhosts/mywebsitehere.org/:/tmp/) in [/var/www/vhosts/mywebsitehere.org/httpdocs/lib/pkp/classes/plugins/PluginHelper.inc.php] on line 64’, referer: https://mywebsitehere.org/index/admin/wizard/1

It seems to me a little bit of a security issue to add the whole /usr/sbin directory to the open_basedir setting. Not comfortable with that.

Questions:

• What could cause issue 1 (is it again related to open_basedir ?)
• Is there a manual solution for upgrading plugins. E.g by deactivating the plugin; uploading the new sources by ftp, and activating it again? How would that process work? Or does the interface add some additional steps?
• Is there another way of upgrading plugins by not having to give low level access to server’s local binaries directory? E.g. by offering it in a zip that which just be unzipped in a temp directory all in php based software with no need to access of /bin/ ?

Hi @ojknl20,

Good suggestions, and I’ve been thinking about this also (since we do field quite a few support questions about how to configure tar on a variety of hosting providers).

An all-PHP solution, e.g. using pear/archive_tar - Packagist (already used by the PKP|PN plugin) or alchemy/zippy - Packagist, would be nice.

However, a good end goal would be to remove reliance on exec entirely, and that would require a bit more work than just the plugin installer. Off the top of my head, here are a few uses of exec:

• tar is invoked by the plugin installer.
• gzip is invoked by the file manager.
• tar and mysqldump are used by the Backup plugin
• pdftotext is used by the search indexing toolset
• There’s an XSLT tool configurable in config.inc.php as well, but only when built-in XSLT support is missing, which is OK.

The only tricky one will be the PDF text extraction, which may be possible via https://www.pdfparser.org/ but will need testing to see whether it can handle PDF files as well as the command-line equivalents.

I’ve filed this for improvement here: Reduce dependency on `exec` · Issue #6077 · pkp/pkp-lib · GitHub

Meanwhile, I think you should be able to copy any necessary binaries into a spot within your open_basedir restrictions (or make one and add it) – that will allow you to avoid adding /usr/bin in its entirety if you’d prefer.

Just unpacking the plugin into the plugins area of OJS won’t reliably install a plugin, as there are often other installation tasks that this won’t include.

Regards,
Alec Smecher
Public Knowledge Project Team