I run a shared free hosting service using www.zpanelcp.com hosting panel, I'm one of the core developers over on the ZPanel project and implemented the use of per vhost open_base_dir restrictions and suhosin harden patch after one of the people on my hosting service managed to get into any files they wanted to on my server.
From a hosting service point of view i don't like removing the restrictions I've put inplace to protect my server, so have been trying to get Drupal to work within these restrictions, but am struggling....
I saw on the Drupal 7.8 updates list that it should now work with this restriction in place :
#1002048 by Akaoni, Boobaa, joosts, sfyn, bfroehle: Fixed Work around move_uploaded_file() issues with safe_mode() and open_basedir().
So i did a fresh install of drupal with the following base dir setting in place :
php_admin_value open_basedir "D:/Websites/zadmin/drupal_kevandrews_co_uk/;C:/ZPanel/temp/"
In administration - configuration - file system i set the temp directory to :
tmp
and created this folder in the root of the drupal installation which is in the root of the web directory.
When i try to upload modules i get the following error:
Warning: ZipArchive::extractTo() [ziparchive.extractto]: open_basedir restriction in effect. File(temporary://update-extraction-df65a3f9/admin_menu\admin_devel) is not within the allowed path(s): (D:/Websites/zadmin/drupal_kevandrews_co_uk/;C:/ZPanel/temp/) in ArchiverZip->extract() (line 112 of D:\Websites\zadmin\drupal_kevandrews_co_uk\modules\system\system.archiver.inc).
admin_menu-7.x-3.0-rc1.zip does not contain any .info files.
If i go and look in D:\websites\zadmin\drupal_kevandrews_co_uk\tmp the zip file has been uploaded
Can anyone help me test this? If you would like access to the drupal installation please ask and i'll send you the login information.
Comment | File | Size | Author |
---|---|---|---|
#18 | test_with_comment.zip | 571 bytes | bfroehle |
#18 | open_basedir_stream_test.php_.txt | 3.91 KB | bfroehle |
Comments
Comment #1
StevenPatzComment #2
webchickI think the issue you're hitting is #357469: file_save_upload() fails to handle open_basedir restriction which is slightly different, but related. That issue still needs work, but there are some patches which might be useful.
Comment #3
Caffeine Addict CreditAttribution: Caffeine Addict commentedThanks very much, maybe i can have a look at this .. i'm ok at patching things just got no idea how to run the tests etc.
Comment #4
Caffeine Addict CreditAttribution: Caffeine Addict commentedDid some more testing, .tar.gz files will upload if you have downloaded them to your computer then install them using the browse button.
.zip files error with the following error :
•Warning: ZipArchive::extractTo() [ziparchive.extractto]: open_basedir restriction in effect. File(temporary://update-extraction-df65a3f9/token) is not within the allowed path(s): (D:/Websites/zadmin/drupal_kevandrews_co_uk/;C:/ZPanel/temp/;D:/Websites/zadmin/drupal_kevandrews_co_uk/tmp/) in ArchiverZip->extract() (line 112 of D:\Websites\zadmin\drupal_kevandrews_co_uk\modules\system\system.archiver.inc).
•token-7.x-1.0-beta5.zip does not contain any .info files.
The zip file uploads fine, the temp folder is created fine, but the files don't get unzipped to the temp folder.
Installing a module from url .zip gives the following error:
•http://ftp.drupal.org/files/projects/pathauto-7.x-1.0-rc2.zip could not be saved to temporary://update-cache-df65a3f9/pathauto-7.x-1.0-rc2.zip.
•Unable to retrieve Drupal project from http://ftp.drupal.org/files/projects/pathauto-7.x-1.0-rc2.zip.
Installing a module from url .tar.gz gives the following error:
•http://ftp.drupal.org/files/projects/pathauto-7.x-1.0-rc2.tar.gz could not be saved to temporary://update-cache-df65a3f9/pathauto-7.x-1.0-rc2.tar.gz.
•Unable to retrieve Drupal project from http://ftp.drupal.org/files/projects/pathauto-7.x-1.0-rc2.tar.gz.
So you can install a .tar.gz module if you download it to your pc first then upload to the server using the browse to file.
All other processes fail.
Comment #5
Caffeine Addict CreditAttribution: Caffeine Addict commentedThis isn't to do with this bug:
#357469: file_save_upload() fails to handle open_basedir restriction
This is to do with how the .zip files are extracted when installing a module from a local file:
Drupal 7.8 module installation testing with open_base_dir restrictions in place.
Uploading a .tar.gz module works fine without any errors and the module is fully functional.
I can see the .tar.gz files have been extracted to a temp folder in my temp directory
Uploading a .zip file gives the following error:
The zip file was uploaded to the temp directory, a temp folder has been created but files were not extracted.
From Url zip file or .tar.gz gives the following error:
There is a difference in how .tar.gz files are uploaded and installed compared to .zip files in the /modules/system/system.archiver.inc the __construct functions are different and the zip __construct has a todo :
Comment #6
Caffeine Addict CreditAttribution: Caffeine Addict commentedReopening, see above post.
Comment #7
Caffeine Addict CreditAttribution: Caffeine Addict commentedChanged line 113 in /modules/system/system.archiver.inc so it was hard coded to the temp directory and the zip file is extracted successfully :
C:/zpanel/temp/update-extraction-df65a3f9/date/
Directory date was created and filled with the module's files.
So my guess the $path variable that is normally passed to the extractTo is incorrect for open_base_dir restrictions...
added the following line under the extractTo command above :
so i can see the $path variable which is :
so the temporary:// is most likely causing issues with the open_base_dir restrictions...
Comment #8
bfroehle CreditAttribution: bfroehle commentedKevin, I'd like to work to fix this issue, but you'll need to do a little more first.
Lastly I've recategorized this post per the Issue queue handbook.
Comment #9
bfroehle CreditAttribution: bfroehle commented~
Comment #10
Caffeine Addict CreditAttribution: Caffeine Addict commentedIf you need to play with a drupal site i can set you one up on my hosting server with accesses to the files database and drupal admin user...
I've changed $this->zip->extractTo($path) to $this->zip->extractTo(drupal_realpath($path)) and it now works perfectly!
I'm just about to leave work now and won't get a chance to work on this until Friday most likely... Thanks for changing the title as per the handbook, sorry i've only recently joined the community and have alot of work and reading to do by the looks of things...
So uploading .tar.gz and .zip with that change now work fine, but installing from URLs won't work still:
I might need to do some research into that one like the .zip...
Also phpinfo for my server here:
http://zpanel.kevandrews.co.uk/apps/phpinfo/
Comment #11
bfroehle CreditAttribution: bfroehle commentedCan you post the actual phpinfo for your drupal instance (Admin > Reports > ...)? In particular, the phpinfo in #10 doesn't have open_basedir set...
Comment #12
bfroehle CreditAttribution: bfroehle commentedI wonder -- is the issue the mixed / and \ in the path...
Comment #13
Caffeine Addict CreditAttribution: Caffeine Addict commentedDidn't spot that... how have you got that printed out?
The open base dir i can get from the vhost file as i have root access to the server, here it is:
DocumentRoot "D:/Websites/zadmin/drupal_kevandrews_co_uk"
php_admin_value open_basedir "D:/Websites/zadmin/drupal_kevandrews_co_uk/;C:/ZPanel/temp/;"
Open base dir are set per vhost as the server software i'm using is for a multi hosting enviroment, its for server security, if i don't have this set there is a security risk that clients on my free hosting platform could get out of their folder and change system files of my server if they knew how... (someone managed it a while back)
I have tried setting the temp directory to the following and none made any difference before doing the change you asked me to do:
tmp/
sites/default/files
C:/ZPanel/temp/
Comment #14
bfroehle CreditAttribution: bfroehle commentedFYI: I tried for a while to reproduce this on an OS X installation but couldn't.
Comment #15
Caffeine Addict CreditAttribution: Caffeine Addict commenteddrupal.kevandrews.co.uk
username : drupal
password : drupal
I have taken out the drupal_realpath fix you suggested, have a play...
ftp info
server : kevandrews.co.uk
username : drupal
password : drupal
I'll leave this up till midnight tomorrow for anyone to test on.
Comment #16
Caffeine Addict CreditAttribution: Caffeine Addict commentedNote:
Not all the modules have this random \ in the path..
php bugs for open_basedir :
https://bugs.php.net/search.php?cmd=display&search_for=open_basedir&x=0&y=0
don't know if there is anything there of any help?
Comment #17
Caffeine Addict CreditAttribution: Caffeine Addict commentedInstalled Drupal 7.8 on Zpanel 6.1.1 which has PHP 5.3.5.
Enabled the update manager so i could install modules. (install module link is missing without this enabled by default)
Got the following error on the top of the install module page (not done anything on that page yet)
vhost settings:
Changed the temporary directory in drupal config file manager to :
sites/default/files
the error has now gone away at the top of the install module page
Try to install a .zip file module from the local machine using the browse option gives the same error still:
So this is an issue on both php 5.2.* and 5.3.* with the open_basedir setting....
Also just run a test on Drupal 8 now i have worked out have to find the installation link for modules on a clean install, get the same error:
settings for this installation :
drupal temp in config set to :
sites/default/files
Ok i can't think of any more tests to run.. but there is definatly an issue with how ZipArchiver works with the open_base_dir seeing as using drupal realpath in the $path seems to fix installing zips and getting files straight from the url fail as well..
If more tests need doing let me know or use the drupal installation in post #15
Comment #18
bfroehle CreditAttribution: bfroehle commentedI've attached a simple script which creates a stream wrapper and uses PHP's ZipArchive to try to extract it.
The script works fine locally on my Mac with open_basedir enabled on PHP 5.3.2 and PHP 5.2.13. It seems to fail on your server.
I think we'll just have to clean this script up a bit and forward it on to php.net as a bug in PHP.
Comment #19
Caffeine Addict CreditAttribution: Caffeine Addict commentedI've tested on php 5.3.6 and php 5.2.14 I would like to upgrade my stack on the development box at home to php 5.2.17 just to make sure they haven't already fixed this.. I also don't think they are running fixes for php 5.2.* any more so this may only get fixed in 5.3.*....
I'll also test the latest version of 5.3.* today and let you know, I'll use the attached files and post results.
If this hasn't been fixed in the latest versions will we be looking at a work around for drupal in the meanwhile or just waiting for PHP to fix the bug and release a new version?
Comment #20
bfroehle CreditAttribution: bfroehle commentedWell the easiest fix will, of course, be to just use tarballs instead of zips. Unfortunately I don't have more time for this issue, but did respond via e-mail with some suggestions. Best of luck!
Comment #21
Caffeine Addict CreditAttribution: Caffeine Addict commentedCheers, i'll structure some tests, i have a feeling this may have something to do with we are using the setting per VHOST instead of in the php.ini.
I'm going to test both the above then different versions of php to see if i can narrow down the possible causes and update here. Once narrowed i'll take this to php.net
Thanks for your e-mail brad, don't worry about time, I know how limited "spare" time gets...
Comment #22
Wolfflow CreditAttribution: Wolfflow commentedSubscribe
Comment #23
Wolfflow CreditAttribution: Wolfflow commentedStill working on the issue ->
mybe of help -> http://drupal.org/node/5961
Edit: found another issue related to: http://drupal.org/node/1002048
Comment #24
Caffeine Addict CreditAttribution: Caffeine Addict commentedI've run out of time to test this for the time being, i'll pick this back up next week.
Wolfflow thanks for finding the related issues, i'll have a read over them.
Comment #25
Caffeine Addict CreditAttribution: Caffeine Addict commentedUpdate: This is a windows only issue by the looks of things. I just installed on CentOS with the open_basedir restriction in place in the httpd-vhosts.conf file exactly the same as the windows server and drupal uses FTP access instead... can this not be enabled for drupal on windows per installation basis?
Comment #26
chx CreditAttribution: chx commentedI have no idea what is this doing in the major queue. open_basedir and solely on Windows? How's that major? And also, it's almost surely a PHP bug. You can almost surely code around it with a drupal_realpath() call to resolve temporary:// into a file path.
Comment #27
Caffeine Addict CreditAttribution: Caffeine Addict commentedI personally haven't worked on drupal core yet and am only trying to get a resolution on this so it will work correctly inside a windows multi-hosting environment. Would you have time to do this? I'm also not sure on what sort of resolution people would want in the core.. (in other words the new guy doesn't want to start changing things yet).
Also the only reason i can see that this is a windows only issue is that when installed on linux Drupal requires ftp details to your server to install from a url or file, where as windows uses file upload...
Comment #28
bfroehle CreditAttribution: bfroehle commentedIf the webserver process owns the files, then the same mechanism you are used to on Windows also applies. Also there is an SFTP option if the PHP SSH2 module is installed.
Comment #29
Caffeine Addict CreditAttribution: Caffeine Addict commentedSo if I change the file ownership to the webserver user then I will be able to test the same process on linux that windows uses? I'll try and test tonight. Also i'll have a look at testing PHP SSH2 ..
Comment #30
bfroehle CreditAttribution: bfroehle commentedExactly.
The relevant link for SSH2, by the way, is http://php.net/manual/en/book.ssh2.php
Unfortunately the reason why this isn't getting much attention is a combination of several factors:
- Rarity: open_basedir on Windows with Zip uploading is relatively rare (and other combinations all seem to work)
- Fault: PHP is broken here, not Drupal
- Difficulty: there isn't an obvious workaround which maintains compatibility (i.e., adding drupal_realpath() everywhere isn't a valid workaround).
Comment #31
chx CreditAttribution: chx commentedwhy everywhere? it seemed there's a specific point of attack in extract?
Comment #32
Caffeine Addict CreditAttribution: Caffeine Addict commentedMy post #4 shows the errors when uploading .zip files and using install from URL with both .zip and .tar.gz files. So it would need to be used in a max of three places. Even if we could get a patch people could use / install to fix this I would be happy...
Just to reclarify:
.zip browse and upload - fails
.zip + .tar.gz from url - fails
.tar.gz from file upload - works
general file uploads in druapl - work fine
image upload in drupal - work fine
So it would only be the two above processes using drupal_realpath if anyone decided that was the way to go...
Comment #33
bfroehle CreditAttribution: bfroehle commentedchx: I meant everywhere in the sense that this is a recurring issue:
#357469: file_save_upload() fails to handle open_basedir restriction
#1240256: file_unmanaged_copy() Fails with Drupal 7.7+ and safe_mode or open_basedir
etc.
Comment #34
patrickd CreditAttribution: patrickd commentedWe just run into this issue on simplytest.me, which uses ubuntu and safe_mode=On
Trick was, as chx statet, to call the extraction method with drupal_realpath()
http://drupal.org/node/1930464#comment-7124970
Though I'm wondering whether we should put the drupal_realpath() call into the Zip/ZipArchiver class itself, to make sure it always workds when it calls the extraction method of PHP's ZipArchive.
It feels a bit stupid that I have to ask people to change their code to get a module running on simplytest.me which runs fine (nearly) everywhere else
Comment #45
LendudeThis has gone stale for while now. It's referencing PHP5.2 and PHP5.3.
Is this still relevant, are people still running in to this or can we close this as outdated?
Comment #47
quietone CreditAttribution: quietone at PreviousNext commentedThere has been no reply in the past 7 months that this problem is still happening. Therefor I am closing this as oudated.
Thanks everyone who worked on this to improve Drupal!