XF 2.1 Plugin errors when installing, works but won't uninstall

Dan Blather

Member
The situation, in a nutshell.

* Dragonbyte Tech Member Map plugin - when I tried to properly install it, I got this error.

Code:
     UnexpectedValueException: RecursiveDirectoryIterator::__construct(): Unable to find the wrapper "phar" - did you forget to enable it when you configured PHP? src/addons/DBTech/MemberMap/Repository/GeoIp.php:133 

Stack trace

#0 [internal function]: RecursiveDirectoryIterator->__construct('phar:///home/cy...', 12288)
#1 src/addons/DBTech/MemberMap/Repository/GeoIp.php(133): PharData->__construct('/home/cyburbia/...')
#2 src/addons/DBTech/MemberMap/Setup.php(106): DBTech\MemberMap\Repository\GeoIp->geoIpUpdate()
#3 src/XF/AddOn/AddOn.php(560): DBTech\MemberMap\Setup->postInstall(Array)
#4 src/XF/Admin/Controller/AddOn.php(573): XF\AddOn\AddOn->postInstall(Array)
#5 src/XF/Mvc/Dispatcher.php(249): XF\Admin\Controller\AddOn->actionFinalize(Object(XF\Mvc\ParameterBag))
#6 src/XF/Mvc/Dispatcher.php(88): XF\Mvc\Dispatcher->dispatchClass('XF:AddOn', 'Finalize', 'html', Object(XF\Mvc\ParameterBag), 'listAddOns', Object(XF\Admin\Controller\AddOn), NULL)
#7 src/XF/Mvc/Dispatcher.php(41): XF\Mvc\Dispatcher->dispatchLoop(Object(XF\Mvc\RouteMatch))
#8 src/XF/App.php(1934): XF\Mvc\Dispatcher->run()
#9 src/XF.php(333): XF\App->run()
#10 admin.php(13): XF::runApp('XF\\Admin\\App')
#11 {main}

Request state

array(4) {
  ["url"] => string(109) "/forums/admin.php?add-ons/DBTech-MemberMap/finalize&t=1547177791%2C80c07b656697ce690d029ffff967de13&a=install"
  ["referrer"] => string(55) "https://www.cyburbia.org/forums/admin.php?tools/run-job"
  ["_GET"] => array(3) {
    ["add-ons/DBTech-MemberMap/finalize"] => string(0) ""
    ["t"] => string(43) "1547177791,80c07b656697ce690d029ffff967de13"
    ["a"] => string(7) "install"
  }
  ["_POST"] => array(0) {
  }
}

* phar is enabled on my serves.

* A few other people are reporting the same problem on the developer's Web site. App developer says "this would appear to be a bug with the latest versions of PHP."

* The plugin is not in the list of installed plugins, and I can't uninstall it.

* App developer: "I can’t fix bugs in PHP as I’m not on their development team unfortunately." I assume that means the XenForo development team.

* Just removing the plugin files doesn't work -- it breaks XenForo.

It's a nice plugin, but if I can't uninstall it, its really a permanent part of XenForo, rather than an add-on.

So, how can I uninstall an app that's not installed?
 
XenForo 2.0 and 2.1 disables the phar wrapper in the "standardizeEnvironment" function.
Code:
public static function standardizeEnvironment()
{
   ignore_user_abort(true);

   self::setMemoryLimit(128 * 1024 * 1024);

   error_reporting(E_ALL | E_STRICT & ~8192);
   set_error_handler(['XF', 'handlePhpError']);
   set_exception_handler(['XF', 'handleException']);
   register_shutdown_function(['XF', 'handleFatalError']);

   date_default_timezone_set('UTC');
   setlocale(LC_ALL, 'C');

   // if you really need to load a phar file, you can call stream_wrapper_restore('phar');
   @stream_wrapper_unregister('phar');
....

DragonByte needs to call @stream_wrapper_restore('phar'); to restore the wrapper.
 
Thank you! Let me see what they can do. If there's no action, is there any way to uninstall the thing?
I don't have the answer for your uninstall question, but perhaps with the info I gave DragonByte might be able to come up with a solution for you.

I just knew the answer to the missing wrapper because I did experiment with using Phar in one of my add-ons and decided against it.
 
It might be worth noting that I THINK I know why XenForo kills the Phar wrapper.

Phar files are compressed and can be executed. Thus it could be used as a form of obfuscation which is not allowed in any XenForo add-on. @Chris D or @Mike might be able to confirm that.

But I know the circumstances it's being used in, DragonByte is using it to decompress a file and it would probably be acceptable to use.
 
We disable phar by default now to disable a potential security issue that it can cause, combined with the uncommon usage. It's not really add-on specific. However, it's potentially very subtle and thus very hard to realize that code may be vulnerable -- if the attacker has enough control over the input, even calls to things like file_exists are vulnerable.

So yes, for a legitimate usage, you need to explicitly re-enable it as and when you want to use it. Mentioning @DragonByte Tech so he knows what to change now.

As a temporary thing, you can probably add this to your src/config.php file to install/uninstall the add-on:
Code:
stream_wrapper_restore('phar');
(I assume it's needed to function with the add-on as well, so it's up to you whether you want to leave it on.)
 
I didn't want to mention security problems since that could cause people to panic when it's being used in a legitimate way such as how it's being used in the application mentioned. But it is the reason I decided not to use it for the same general application where certain people might think it's misused.
 
Last edited:
I didn't want to mention security problems since that could cause people to panic when it's being used in a legitimate way such as how it's being used in the application mentioned. But it is the reason I decided not to use it for the same general application where certain people might think it's misused.
Do you have another method for uncompressing tar.gz archives? 🤔
 
Top Bottom