Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.7k
[Process] do not search in $PATH entries not allowed by open_basedir#58008
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| if (\ini_get('open_basedir')) { | ||
| $searchPath =array_merge(explode(\PATH_SEPARATOR,\ini_get('open_basedir')),$extraDirs); | ||
| $dirs = []; | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
With the new logic$extraDirs do not have to be searched here. Imho#57954 is the correct variant.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
#57954 which keeps adding the open_basedir folders as dirs to search in does not make sense.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@stof so does this PR now. Symfony 6 and 7 also do not check whether the paths are allowed byopen_basedir - the check happens by silencingopen_basedir errors when usingis_dir andis_executable with@. See
if (@is_file($file =$dir.\DIRECTORY_SEPARATOR.$name.$suffix) && ('\\' === \DIRECTORY_SEPARATOR || @is_executable($file))) { if (!@is_dir($dir) &&basename($dir) ===$name.$suffix && @is_executable($dir)) { if (($executablePath =substr($execResult,0,strpos($execResult, \PHP_EOL) ?:null)) && @is_executable($executablePath)) {
nicolas-grekas commentedSep 17, 2024
Closing in favor of#58291 |
…sedir (BlackbitDevs)This PR was merged into the 5.4 branch.Discussion----------[Process] Fix finding executables independently of open_basedir| Q | A| ------------- | ---| Branch? | 5.4| Bug fix? | yes| New feature? | no| Deprecations? | no| Issues | -| License | MITThis backports#47422 to 5.4, which is a bugfix really.Instead of#58008 and#57954 /cc `@xabbuh` `@fritzmg`Commits-------4424763 [Process] Fix finding executables independently of open_basedir
replaces#57954
The current version of the
ExecutableFinderonly checks the paths in theopen_basedirwhen set. However, this will cause theExecutableFindernot find the executable in question if it is in a subfolder of one of theopen_basedirpaths.For example the environment might be configured as follows:
PATH=/usr/binopen_basedir=/usrIn this case the
ExecutableFinderonly checks the/usrfolder and won't find the binaries in/usr/bin, even though the PHP process would be allowed to access/usr/bin, as theopen_basedirrestriction allows access to subfolders.This PR fixes that by always adding the paths from
PATHto the directories to be checked.Note: this is not an issue in Symfony 6.4+. The
open_basedirlogic does not exist there and thus that problem does not exist there.