No Code Attached Yet bug
avatar ahotzler
ahotzler
6 Dec 2018

Steps to reproduce the issue

configure "disable_functions curl_exec, curl_multi_exe" in php settings (php.ini)

Expected result

Message that curl_exec is disabled for example

Actual result

While using the update check: /administrator/index.php?option=com_installer&view=update joomla cannot chec for updates

Message: Update: The update source #1 "Joomla! Core" could not be opened! URL: https://update.joomla.org/core/list.xml

While Using /administrator/index.php?option=com_joomlaupdate

Message: "Update: Die Aktualisierungsquelle #13 „Joomla! Update Component Update Site“ konnte nicht geöffnet werden! URL: https://update.joomla.org/core/extensions/com_joomlaupdate.xml"

Translated: "Update: The update source #13 "Joomla! Update Component Update Site" could not be opened! URL: https://update.joomla.org/core/extensions/com_joomlaupdate.xml"

PHP-Debug:

Warning: curl_exec() has been disabled for security reasons in .../libraries/src/Http/Transport/CurlTransport.php on line 204 Warning:

System information (as much as possible)

PHP 7.2.12-1+020181112102304.11+stretch1.gbp55f215
Joomla! 3.9.0 Stable [ Amani ] 30-October-2018 14:00 GMT
PHP disable_functions curl_exec, curl_multi_exec, exec, parse_ini_file, passthru, popen, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, show_source, system

Directive Local Value Master Value
allow_url_fopen On On
allow_url_include Off Off

curl
cURL support enabled
cURL Information 7.52.1
Age 3
Features
AsynchDNS Yes
CharConv No
Debug No
GSS-Negotiate No
IDN Yes
IPv6 Yes
krb4 No
Largefile Yes
libz Yes
NTLM Yes
NTLMWB Yes
SPNEGO Yes
SSL Yes
SSPI No
TLS-SRP Yes
HTTP2 Yes
GSSAPI Yes
KERBEROS5 Yes
UNIX_SOCKETS Yes
PSL Yes
Protocols dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtmp, rtsp, scp, sftp, smb, smbs, smtp, smtps, telnet, tftp
Host x86_64-pc-linux-gnu
SSL Version OpenSSL/1.0.2l
ZLib Version 1.2.8
libSSH Version libssh2/1.7.0

Additional comments

Hint from David:

"There the check in the curl driver must be adapted, the catches the case not https://github.com/joomla/joomla-cms/blob/3.10-dev/libraries/src/Http/Transport/CurlTransport.php"

Votes

# of Users Experiencing Issue
1/1
Average Importance Score
3.00

avatar ahotzler ahotzler - open - 6 Dec 2018
avatar joomla-cms-bot joomla-cms-bot - change - 6 Dec 2018
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 6 Dec 2018
avatar mbabker
mbabker - comment - 6 Dec 2018

The platform is not dependent on curl, so factually it's incorrect that update checks don't work when curl is not available as there are other ways the API tries to work.

Our API does not go in depth checking the disabled functions directive for every possible function in an adapter, and I don't believe we should be adding this.

We can and should improve the error message shown in the UI where practical, but I don't believe we should be adding checks for disabled functions here (otherwise that opens a can of worms and it conceivably needs to be done everywhere we have isSupported() type checks and that soon trickles down to checking every native PHP function.

avatar ahotzler
ahotzler - comment - 6 Dec 2018

Hm, I created the title based on the message "Warning: curl_exec() has been disabled...". I also checked for fopen, which was enabled.

Unfortunately I cannot contribute any technical solutions, only information about the - in my eyes strangely configured host system. Please let me know if I can provide anything here before the provider changes the settings.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/23235.

avatar ahotzler ahotzler - change - 6 Dec 2018
The description was changed
avatar ahotzler ahotzler - edited - 6 Dec 2018
avatar SniperSister
SniperSister - comment - 6 Dec 2018

@mbabker disabling curl for pseudo-security reasons is actually a well known pattern that i saw at many different hosts, I would say it’s worth the the extra check


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/23235.

avatar mbabker
mbabker - comment - 6 Dec 2018

If we're going to make it a habit of checking disabled functions then realistically every isSupported check needs to scan every function that might be used by an adapter (HTTP transports, cache mechanisms, session handlers, database drivers, etc.). I don't think one off exceptions in one code path is a good idea personally.

If we start checking curl_exec(), what happens if you've got a questionable sysadmin that disables curl_init() instead? We're already having to work around this because someone thought it was a good idea to disable parse_ini_file().

avatar SniperSister
SniperSister - comment - 6 Dec 2018

I haven't heard anyone complaining about mysqli_connect being disabled for security reasons, for curl however this is a real world issue.

I get your point, it's an exception - but a worthy in my opionion.

avatar mbabker
mbabker - comment - 6 Dec 2018

Not saying it's not a real world issue, but I don't think just coming back in and monkey patching core every time there is a "I can't do this because a function was added to the disable_functions INI directive" issue report is right either.

Either across the board we make it a best practice to check this directive any place we have an API that checks if an adapter can be used in the environment and consistently do it with everything (and I really do mean everything because, like I pointed out, we can monkey patch checking curl_exec() but when someone disables curl_init() or curl_setopt() you're in just as much trouble) or we don't do it at all and leave this type of check to a system dashboard in com_admin (which I personally think is the way to go about it, the production code should not be littered full of ini_get('disable_functions') calls).

avatar SniperSister
SniperSister - comment - 6 Dec 2018

leave this type of check to a system dashboard in com_admin

You mean to display an information to the user saying "hey, your stupid host disabled curl, Joomla can't connect to the outside world"? Well, but how does it help the end user? His host most likely won't change his mind, so the user-friendly alternative would be, that JHttp just changes over to a supported driver and that let's us end up with ini_get calls again.

Alternative: add a helper function doing function_exists && is_callable && !in_array(explode(ini_get(...)))?

avatar mbabker
mbabker - comment - 6 Dec 2018

option=com_admin&view=healthcheck

Add sane things here:

  • Is an HTTP adapter available for use?
    • No? Why not? Guide user somewhere...
  • Is a cache adapter available for use?
  • Is caching enabled?
    • No? Educate user why this may be beneficial...

Alternative: add a helper function doing function_exists && is_callable && !in_array(explode(ini_get(...)))?

You can't make a Joomla\CMS\Environment::willThisActuallyWork() sanely because different environments call for different things (i.e. can't do extension_loaded() for Memcached in some environments and have to rely on class_exists(), clearly you can't rely on extension_loaded() for curl and have to get into this stupid disable_functions check (and it would apply to all of our HTTP adapters, not just curl, because it's more common to block or disable things like fopen() and fsockopen(), or disable allow_url_fopen or the ability to do a request through file_get_contents() than it is to turn off curl in this half-assed broken way; BTW I do all of that quite commonly).

Again, it's a real problem and I'm not denying that, but the way I see it either we start checking the disabled function list for everything in core as a best practice (which does mean the potential of "is mysqli_connect() disabled?" checks), or we're going to be in here monkey patching until we're all blue in the face because some "smart" guy decided to turn off a random function because they know no better. And frankly I treat issues like this as a server level responsibility to fix, not an application level responsibility. Even king of no technical stuff should ever be seen by the end user WordPress doesn't do this level of checking.

avatar PhilETaylor
PhilETaylor - comment - 9 Feb 2019

#ycfs if you have a nice shiny car, but take the wheels off each night so the car doesnt get stolen and then complain you cannot drive to work in the morning, thats not the car manufacturers issue...

PHP is designed to work. If you then go and disable functions in php with the ini setting disable_function then you are on your own...

You dont "secure" a PHP installation by disabling functions. If 2019... there is no reason for ANY php functions to be disabled in this way.

avatar franz-wohlkoenig franz-wohlkoenig - change - 4 Mar 2019
Status New Discussion
avatar franz-wohlkoenig
franz-wohlkoenig - comment - 28 Mar 2019

whats the Status of this Issue?

avatar franz-wohlkoenig franz-wohlkoenig - change - 28 Mar 2019
Status Discussion Information Required
avatar franz-wohlkoenig franz-wohlkoenig - change - 28 Mar 2019
Category com_joomlaupdate
avatar SniperSister
SniperSister - comment - 28 Mar 2019

I guess someone has to make a decision if the problem is worth an exception or not.

avatar franz-wohlkoenig
franz-wohlkoenig - comment - 28 Mar 2019

thanks @SniperSister, calling @HLeithner as Release Lead.

avatar HLeithner
HLeithner - comment - 28 Mar 2019

I follow michael's way, it doesn't make sense to check every if every function of a package is available. Especially if the hoster disable the wrong function like curl_exec instead of the curl_init.

Anyway a dashboard that could check the server would make sense. The question is if there is a 3rd party lib that we can use for this.

avatar mbabker
mbabker - comment - 28 Mar 2019

This type of health check would have to be written specific for Joomla (most of it would be the standard component MVC structure, all you're really writing then is a series of checks to either check the Joomla config for recommended settings or the PHP config for recommended settings and enabled/disabled capabilities, and adding in plugin hooks so extensions could add their own things here similar to com_privacy capabilities).

avatar franz-wohlkoenig
franz-wohlkoenig - comment - 28 Mar 2019

so closing?

avatar HLeithner
HLeithner - comment - 28 Mar 2019

This type of health check would have to be written specific for Joomla (most of it would be the standard component MVC structure, all you're really writing then is a series of checks to either check the Joomla config for recommended settings or the PHP config for recommended settings and enabled/disabled capabilities, and adding in plugin hooks so extensions could add their own things here similar to com_privacy capabilities).

sounds good but have to be done ;-)

I thought a bit more in the direction, lib xy say me if curl, mysql, postgres, you name it "really" work. a typ of unit test.

avatar franz-wohlkoenig franz-wohlkoenig - unlabeled - 4 Apr 2019
avatar franz-wohlkoenig franz-wohlkoenig - change - 4 Apr 2019
Labels Added: J3 Issue
avatar franz-wohlkoenig franz-wohlkoenig - labeled - 4 Apr 2019
avatar MLuehr
MLuehr - comment - 25 Sep 2019

Maybe I'm wrong, but I think there are 2 other ways to get the updates working. But the Transport substitudes coming not into play because of disabeling and not being aware that there is a problem. So could it be an option to disable curl in Joomla! so that the transport substitudes can take over?

avatar jwaisner
jwaisner - comment - 11 Mar 2020

@HLeithner are we looking at doing this or can this be closed? Based on what I can read it looks like the issue is something that is not advisable to apply to J3.


This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/23235.

avatar HLeithner
HLeithner - comment - 13 Mar 2020

Still an valid issue even if no body seams to be interested to solve it or has the problem at all.

avatar jwaisner jwaisner - change - 13 Mar 2020
Status Information Required Confirmed
Build master staging
avatar Hackwar Hackwar - change - 18 Feb 2023
Labels Added: No Code Attached Yet bug
Removed: ?
avatar Hackwar Hackwar - labeled - 18 Feb 2023
avatar chmst chmst - change - 13 Sep 2024
Labels Removed: J3 Issue
avatar chmst chmst - unlabeled - 13 Sep 2024

Add a Comment

Login with GitHub to post a comment