[#17349] - Mimic open_basedir check more precisely in filesystem/folder::create()
- Closed
- 2 May 2018
- Medium
- Build: staging
- # 17349
- Diff
- Freeaqingme:openbasedirCheck
- Pending hound Hound is busy reviewing changes... Details
User tests: Successful: Unsuccessful:
Summary of Changes
If the open_basedir ini directive contains a path that links to a
symlink, PHP will resolve these paths and then perform the acutal
access check.
Joomla, however, only performed a plain string comparison. As a
result leading to false positives.
Testing Instructions
- Create directory: ~/a/public_html
- Create symlink: ~/b/ pointing to ~/a/
- Configure PHP's openbasedir to contain ~/b/public_html
- Have Joomla create a folder inside ~/a/public_html
Expected result
This should just work with no erorrs whatsoever.
Actual result
An error is presented that the path is not within open_basedir..
Documentation Changes Required
N/A
joomla-cms-bot
- | Category | ⇒ | Libraries |
| Status | New | ⇒ | Pending |
@roland-d Thanks for giving it a shot. I'm not sure why your reproduction doesn't work though.
Please allow me to give some context; I work at an ISP and we recently introduced a new webhosting platform. After working out some initial kinks it's been working great, and when it comes to common CMS's, this is the only problem that we (ocasionally) run into. Whenever a customer contacts us about it, we provide the proposed patch and that fixes it. Running the patch on a couple of hundred websites at the moment makes me confident it at least fixes something :)
Having said that, I could only surmise it's because of a symlink that we use for the document root. Though I'm not too intimately familliar with Joomla. Would it help, perhaps, if I provided you with some SFTP details for a Joomla website on our platform?
@Freeaqingme The interesting part of your feedback is that it doesn't happen on all sites. Do you have any idea why that is?
If you can setup a test website which has the issue and provide me access details I can see how it is setup and compare it to my setup. Perhaps there is something odd in my setup.
You can email me at roland.dalmulder@community.joomla.org
| Status | Pending | ⇒ | Information Required |
I faced this problem for the Joomla autoupdate component, the bug is described here #13214
I have been trying to reproduce this issue but I can't get the same error as you. I always end up with JFolder::create: Infinite loop detected.
Let me give some details. @roland-d you're right, Joomla shows the error "Joomla\Filesystem\Folder::create: Infinite loop detected":
However, @Freeaqingme is also right when he says:
An error is presented that the path is not within open_basedir..
Because both of you refer to different locations of the error. The open_basedir error appears in the Apache error.log, not Joomla. So, that's probably why you couldn't find this error. This error happens because Joomla tries to traverse up, outside the parent directory. The description and explanation that @Freeaqingme provided is 100% correct.
In my case I use ISPConfig - a well-known hosting panel. It creates symlinks to website's root documents like /var/clients/client1/website3/web, besides they are also accessible with the domain name, for example, /var/www/www.example.com/web. And this causes the JFolder::create hell!
any Comment @roland-d?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17349.
@franz-wohlkoenig I found someone to give me access to a server where this issue happens. I will take a look and see what it does.
I have finally found the time to look into this. There were delays of personal nature :) With the provided server I observed the following.
Before the patch:
- Unable to create a folder in Media Manager
- Unable to install an extension via upload
- Unable to install an extension via Install from web
- Unable to update extensions
After the patch:
- Able to create a folder in Media Manager
- Unable to install an extension
- Able to install an extension via Install from web
- Able to update extensions
I get the feeling this is not the complete solution. Any thoughts?
| Status | Information Required | ⇒ | Pending |
@Freeaqingme I have traced down why the installation of an extension did not work. There is a second place this fix has to be applied. In the file libraries/vendor/joomla/filesystem/src/Folder.php on line 182.
If you can make that fix, I can mark my test as successful. Thank you.
I waited till @Freeaqingme will improve this pull request. But I can't wait anymore. This bug is very important for me, so I made a new pull request #20280 with the additional fix that @roland-d requested. I hope this helps.
@Freeaqingme should this PR be closed?
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-05-02 14:49:48 |
| Closed_By | ⇒ | roland-d |
Sorry for not getting back to you earlier. I've left my job since a couple of months, so this kinda lost my attention. Thanks for following up!
@Freeaqingme I have been trying to reproduce this issue but I can't get the same error as you. I always end up with
JFolder::create: Infinite loop detected.My setup is as follows. My Joomla installation is in the folder
/Users/rolandd/htdocs/joomla-cmsI have setup open_basedir asopen_basedir = /Applications/MAMP/htdocs/b/and created a symlink asb -> joomla-cms.In Joomla I set the log path to
/Applications/MAMP/htdocs/logsand then login to the backend with an incorrect username/password to trigger Joomla to generate a logfile.After this I get the infinite loop error.
If you have any ideas as to how the setup should be different I would like to hear it.