I'm using Drupal 6.6 (lightly customized by my organization) on a very locked-down version of PHP 5, with very conservative security settings for open_basedir, etc.
drush sql query does not work in this setup -- it simply fails silently with no error message.
I looked at the code and I think it's due to the fact that the code is trying to write the query to a file in the current directory (./) using the Drupal API call file_save_data and this seems to fail. Also, the code generates its own filenames for temporary files using a very simple scheme and manages deleting the temporary files itself. This is likely to make security-minded people nervous and might lead to orphaned files.
I created a patch that uses the PHP tmpfile() call to manage temporary files. The advantages are:
- This code works on my system, whereas the previous code did not.
- This code creates temporary files in the temporary directory; not in the current directory (wherever that is)
- Since it uses
tmpfile(), the file is created at the same time (and with the proper permissions) as the name is generated, which eliminates the risk of race conditions that security folks worry about. The name generated is also much more random and less predictable.
| Comment | File | Size | Author |
|---|---|---|---|
| tmpfile.diff | 1.52 KB | msabramo |
Comments
Comment #1
msabramo commentedComment #2
moshe weitzman commentedI committed this to the 6--2 branch of drush_extras and a the temp file function to drush head. thats where the action is. will be released soon. thanks for the improvement .