Mimic open_basedir check more precisely in filesystem/folder::create()

[Freeaqingme]

Summary of Changes

If the open_basedir ini directive contains a path that links to a
symlink, PHP will resolve these paths and then perform the acutal
access check.

Joomla, however, only performed a plain string comparison. As a
result leading to false positives.

Testing Instructions

• Create directory: ~/a/public_html
• Create symlink: ~/b/ pointing to ~/a/
• Configure PHP's openbasedir to contain ~/b/public_html
• Have Joomla create a folder inside ~/a/public_html

Expected result

This should just work with no erorrs whatsoever.

Actual result

An error is presented that the path is not within open_basedir..

Documentation Changes Required

N/A

[roland-d]

@Freeaqingme I have been trying to reproduce this issue but I can't get the same error as you. I always end up with JFolder::create: Infinite loop detected.

My setup is as follows. My Joomla installation is in the folder /Users/rolandd/htdocs/joomla-cms I have setup open_basedir as open_basedir = /Applications/MAMP/htdocs/b/ and created a symlink as b -> joomla-cms.

In Joomla I set the log path to /Applications/MAMP/htdocs/logs and then login to the backend with an incorrect username/password to trigger Joomla to generate a logfile.

After this I get the infinite loop error.

If you have any ideas as to how the setup should be different I would like to hear it.

[Freeaqingme]

@roland-d Thanks for giving it a shot. I'm not sure why your reproduction doesn't work though.

Please allow me to give some context; I work at an ISP and we recently introduced a new webhosting platform. After working out some initial kinks it's been working great, and when it comes to common CMS's, this is the only problem that we (ocasionally) run into. Whenever a customer contacts us about it, we provide the proposed patch and that fixes it. Running the patch on a couple of hundred websites at the moment makes me confident it at least fixes something :)

Having said that, I could only surmise it's because of a symlink that we use for the document root. Though I'm not too intimately familliar with Joomla. Would it help, perhaps, if I provided you with some SFTP details for a Joomla website on our platform?

[roland-d]

@Freeaqingme The interesting part of your feedback is that it doesn't happen on all sites. Do you have any idea why that is?

If you can setup a test website which has the issue and provide me access details I can see how it is setup and compare it to my setup. Perhaps there is something odd in my setup.

You can email me at roland.dalmulder@community.joomla.org

[rvalitov]

I faced this problem for the Joomla autoupdate component, the bug is described here #13214

I have been trying to reproduce this issue but I can't get the same error as you. I always end up with JFolder::create: Infinite loop detected.

Let me give some details. @roland-d you're right, Joomla shows the error "Joomla\Filesystem\Folder::create: Infinite loop detected":

However, @Freeaqingme is also right when he says:

An error is presented that the path is not within open_basedir..

Because both of you refer to different locations of the error. The open_basedir error appears in the Apache error.log, not Joomla. So, that's probably why you couldn't find this error. This error happens because Joomla tries to traverse up, outside the parent directory. The description and explanation that @Freeaqingme provided is 100% correct.

In my case I use ISPConfig - a well-known hosting panel. It creates symlinks to website's root documents like /var/clients/client1/website3/web, besides they are also accessible with the domain name, for example, /var/www/www.example.com/web. And this causes the JFolder::create hell!

[ghost]

any Comment @roland-d?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/17349.}

[roland-d]

@franz-wohlkoenig I found someone to give me access to a server where this issue happens. I will take a look and see what it does.

[roland-d]

I have finally found the time to look into this. There were delays of personal nature :) With the provided server I observed the following.

Before the patch:

1. Unable to create a folder in Media Manager
2. Unable to install an extension via upload
3. Unable to install an extension via Install from web
4. Unable to update extensions

After the patch:

1. Able to create a folder in Media Manager
2. Unable to install an extension
3. Able to install an extension via Install from web
4. Able to update extensions

I get the feeling this is not the complete solution. Any thoughts?

[roland-d]

@Freeaqingme I have traced down why the installation of an extension did not work. There is a second place this fix has to be applied. In the file libraries/vendor/joomla/filesystem/src/Folder.php on line 182.

If you can make that fix, I can mark my test as successful. Thank you.

[rvalitov]

I waited till @Freeaqingme will improve this pull request. But I can't wait anymore. This bug is very important for me, so I made a new pull request #20280 with the additional fix that @roland-d requested. I hope this helps.

[ghost]

@Freeaqingme should this PR be closed?

[roland-d]

@rvalitov Do yo need help with making the other PR against the framework? I think we can combine efforts because this is going around in circles.

Closing this PR because I don't think it will go anywhere. We can fix it in the related issue #20280

[Freeaqingme]

Sorry for not getting back to you earlier. I've left my job since a couple of months, so this kinda lost my attention. Thanks for following up!