Installing Spell Checker plugin in safe mode

I’m trying to add the Spelling Checker Plugin. It doesn’t work in safe_mode. I’m trying to change that. Let’s see if this can be spell-checked and posted.

Yes, it works!!

Here is a summary of the changes I made to the original code version Beta 1.17 14-March-2005. I hope the author of the plugin will be able to make this post obsolete by folding the changes into his plugin.

First, the conditions under which this was tested:

My hosting ISP provides PHP running in safe mode with safe_mode_exec_dir set to “.” and PHP built –with-pspell. That means that aspell is installed on the server. It is in/usr/bin/aspell.

I installed WordPress using PHP built as a cgi and called with CGIWrap using the techniques described in Securing PHP applications at That may have affected which directory is “.” at time of the call, and therefore which directory I had to install the shell script named aspell that acts as a shim for the call to the system aspell.

This will only work for you if safe_mode_exec points somewhere that you can put your own shell script.

  1. Disable the test in spellcheck-plugin.php that blocks installation when running in safe mode.
  2. Bypass the exec(“which aspell”) call, which will not work in safe mode. Instead set the result variable of the call to be “aspell”. The location of the aspell command on the server is not relevant because safe mode restricts execution to files in the safe_mode_exec_dir directory.
  3. Create a shell script wp-contents/spell-plugin/aspell that is set to be executable and contains

    /bin/sh -c "/usr/bin/aspell $*" 2>&1

    This can’t be a simple softlink because of the way that safe mode escapes the redirection in the command line.
  4. Replace the two calls to shell_exec() with calls to exec(). In the one place that uses the return string from shell_exec use the second argument to exec and the join function to get the same result.

Here are the diffs for the code changes I made:

diff -r ~/spell-plugin/spell-plugin.php ./wp-content/plugins/spell-plugin.php
< if(ini_get('safe_mode')) --- > if(ini_get('xxxsafe_modexxx'))
< exec( "which aspell 2>&1", $out, $err );
> $out[0] = "aspell"; $err = 0;
diff -r ~/spell-plugin/spellInclude.php ./wp-content/spell-plugin/spellInclude.php
< shell_exec( $cmd ); --- > exec( $cmd );
diff -r ~/spell-plugin/spellchecker.php ./wp-content/spell-plugin/spellchecker.php
< if( $aspellret = shell_exec( $cmd )) { --- > exec( $cmd, $execout );
> $aspellret = join("\n", $execout);
> if( $aspellret ) {

Installing Plugin Manager in safe mode

This was almost too easy!

The problem: Plugin Manager uses exec() to call the unzip command to extract files from plugin archives. This does not work in safe mode. On my hosting ISP, PHP is run in safe mode with safe_exec_dir set to “.”, which restricts exec() to calling only executables in the current directory.

The solution: Create a symbolic link for unzip in the main WordPress directory, pointing to /usr/bin/unzip

My hosting site has allow_url_fopen set, so I did not have to work around a similar call to wget that Plugin Manager uses in the absence of allow_url_fopen.

I posted a comment about this at the Plugin Manager blog site.

Toe in the water

I haven’t wanted to start a blog, not knowing if I was ever going to get around to updating it, or have things worth saying. But now that I’m playing with WordPress, I realized that I can blog without blogging by just making the test site visible. I’ll document what I do with it. Maybe once in a while I’ll have something else to say.

If nothing else, hints on any customization that is necessary on the web server that I’m hosting on should be helpful to other customers who want to set up a blog.