-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mimic open_basedir check more precisely in filesystem/folder::create() #17349
Conversation
If the open_basedir ini directive contains a path that links to a symlink, PHP will resolve these paths and then perform the acutal access check. Joomla, however, only performed a plain string comparison. As a result leading to false positives.
@Freeaqingme I have been trying to reproduce this issue but I can't get the same error as you. I always end up with My setup is as follows. My Joomla installation is in the folder In Joomla I set the log path to After this I get the infinite loop error. If you have any ideas as to how the setup should be different I would like to hear it. |
@roland-d Thanks for giving it a shot. I'm not sure why your reproduction doesn't work though. Please allow me to give some context; I work at an ISP and we recently introduced a new webhosting platform. After working out some initial kinks it's been working great, and when it comes to common CMS's, this is the only problem that we (ocasionally) run into. Whenever a customer contacts us about it, we provide the proposed patch and that fixes it. Running the patch on a couple of hundred websites at the moment makes me confident it at least fixes something :) Having said that, I could only surmise it's because of a symlink that we use for the document root. Though I'm not too intimately familliar with Joomla. Would it help, perhaps, if I provided you with some SFTP details for a Joomla website on our platform? |
@Freeaqingme The interesting part of your feedback is that it doesn't happen on all sites. Do you have any idea why that is? If you can setup a test website which has the issue and provide me access details I can see how it is setup and compare it to my setup. Perhaps there is something odd in my setup. You can email me at roland.dalmulder@community.joomla.org |
I faced this problem for the Joomla autoupdate component, the bug is described here #13214
Let me give some details. @roland-d you're right, Joomla shows the error "Joomla\Filesystem\Folder::create: Infinite loop detected": However, @Freeaqingme is also right when he says:
Because both of you refer to different locations of the error. The open_basedir error appears in the Apache error.log, not Joomla. So, that's probably why you couldn't find this error. This error happens because Joomla tries to traverse up, outside the parent directory. The description and explanation that @Freeaqingme provided is 100% correct. In my case I use ISPConfig - a well-known hosting panel. It creates symlinks to website's root documents like /var/clients/client1/website3/web, besides they are also accessible with the domain name, for example, /var/www/www.example.com/web. And this causes the JFolder::create hell! |
any Comment @roland-d? This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17349. |
@franz-wohlkoenig I found someone to give me access to a server where this issue happens. I will take a look and see what it does. |
I have finally found the time to look into this. There were delays of personal nature :) With the provided server I observed the following. Before the patch:
After the patch:
I get the feeling this is not the complete solution. Any thoughts? |
@Freeaqingme I have traced down why the installation of an extension did not work. There is a second place this fix has to be applied. In the file If you can make that fix, I can mark my test as successful. Thank you. |
I waited till @Freeaqingme will improve this pull request. But I can't wait anymore. This bug is very important for me, so I made a new pull request #20280 with the additional fix that @roland-d requested. I hope this helps. |
@Freeaqingme should this PR be closed? |
Sorry for not getting back to you earlier. I've left my job since a couple of months, so this kinda lost my attention. Thanks for following up! |
Summary of Changes
If the open_basedir ini directive contains a path that links to a
symlink, PHP will resolve these paths and then perform the acutal
access check.
Joomla, however, only performed a plain string comparison. As a
result leading to false positives.
Testing Instructions
Expected result
This should just work with no erorrs whatsoever.
Actual result
An error is presented that the path is not within open_basedir..
Documentation Changes Required
N/A