Installing Spell Checker plugin in safe mode

I’m trying to add the Spelling Checker Plugin. It doesn’t work in safe_mode. I’m trying to change that. Let’s see if this can be spell-checked and posted.

Yes, it works!!

Here is a summary of the changes I made to the original code version Beta 1.17 14-March-2005. I hope the author of the plugin will be able to make this post obsolete by folding the changes into his plugin.

First, the conditions under which this was tested:

My hosting ISP provides PHP running in safe mode with safe_mode_exec_dir set to “.” and PHP built –with-pspell. That means that aspell is installed on the server. It is in/usr/bin/aspell.

I installed WordPress using PHP built as a cgi and called with CGIWrap using the techniques described in Securing PHP applications at That may have affected which directory is “.” at time of the call, and therefore which directory I had to install the shell script named aspell that acts as a shim for the call to the system aspell.

This will only work for you if safe_mode_exec points somewhere that you can put your own shell script.

  1. Disable the test in spellcheck-plugin.php that blocks installation when running in safe mode.
  2. Bypass the exec(“which aspell”) call, which will not work in safe mode. Instead set the result variable of the call to be “aspell”. The location of the aspell command on the server is not relevant because safe mode restricts execution to files in the safe_mode_exec_dir directory.
  3. Create a shell script wp-contents/spell-plugin/aspell that is set to be executable and contains

    /bin/sh -c "/usr/bin/aspell $*" 2>&1

    This can’t be a simple softlink because of the way that safe mode escapes the redirection in the command line.
  4. Replace the two calls to shell_exec() with calls to exec(). In the one place that uses the return string from shell_exec use the second argument to exec and the join function to get the same result.

Here are the diffs for the code changes I made:

diff -r ~/spell-plugin/spell-plugin.php ./wp-content/plugins/spell-plugin.php
< if(ini_get('safe_mode'))
> if(ini_get('xxxsafe_modexxx'))
< exec( "which aspell 2>&1", $out, $err );
> $out[0] = "aspell"; $err = 0;
diff -r ~/spell-plugin/spellInclude.php ./wp-content/spell-plugin/spellInclude.php
< shell_exec( $cmd );
> exec( $cmd );
diff -r ~/spell-plugin/spellchecker.php ./wp-content/spell-plugin/spellchecker.php
< if( $aspellret = shell_exec( $cmd )) {
> exec( $cmd, $execout );
> $aspellret = join("\n", $execout);
> if( $aspellret ) {

This entry was posted in WordPress. Bookmark the permalink.

Leave a Reply