ArchiverZip::extract() needs workaround for open_basedir & stream wrappers

Thanks very much, maybe i can have a look at this .. i'm ok at patching things just got no idea how to run the tests etc.

Did some more testing, .tar.gz files will upload if you have downloaded them to your computer then install them using the browse button.

.zip files error with the following error :

•Warning: ZipArchive::extractTo() [ziparchive.extractto]: open_basedir restriction in effect. File(temporary://update-extraction-df65a3f9/token) is not within the allowed path(s): (D:/Websites/zadmin/drupal_kevandrews_co_uk/;C:/ZPanel/temp/;D:/Websites/zadmin/drupal_kevandrews_co_uk/tmp/) in ArchiverZip->extract() (line 112 of D:\Websites\zadmin\drupal_kevandrews_co_uk\modules\system\system.archiver.inc).
•token-7.x-1.0-beta5.zip does not contain any .info files.

The zip file uploads fine, the temp folder is created fine, but the files don't get unzipped to the temp folder.

Installing a module from url .zip gives the following error:
•http://ftp.drupal.org/files/projects/pathauto-7.x-1.0-rc2.zip could not be saved to temporary://update-cache-df65a3f9/pathauto-7.x-1.0-rc2.zip.
•Unable to retrieve Drupal project from http://ftp.drupal.org/files/projects/pathauto-7.x-1.0-rc2.zip.

Installing a module from url .tar.gz gives the following error:
•http://ftp.drupal.org/files/projects/pathauto-7.x-1.0-rc2.tar.gz could not be saved to temporary://update-cache-df65a3f9/pathauto-7.x-1.0-rc2.tar.gz.
•Unable to retrieve Drupal project from http://ftp.drupal.org/files/projects/pathauto-7.x-1.0-rc2.tar.gz.

So you can install a .tar.gz module if you download it to your pc first then upload to the server using the browse to file.
All other processes fail.

This isn't to do with this bug:

#357469: file_save_upload() fails to handle open_basedir restriction

This is to do with how the .zip files are extracted when installing a module from a local file:

Drupal 7.8 module installation testing with open_base_dir restrictions in place.

Uploading a .tar.gz module works fine without any errors and the module is fully functional.

I can see the .tar.gz files have been extracted to a temp folder in my temp directory

Uploading a .zip file gives the following error:

Warning: ZipArchive::extractTo() [ziparchive.extractto]: open_basedir restriction in effect. File(temporary://update-extraction-df65a3f9/date) is not within the allowed path(s): (D:/Websites/zadmin/drupal_kevandrews_co_uk/;C:/ZPanel/temp/;/tmp/) in ArchiverZip->extract() (line 113 of D:\Websites\zadmin\drupal_kevandrews_co_uk\modules\system\system.archiver.inc). date-7.x-2.0-alpha4.zip does not contain any .info files.

The zip file was uploaded to the temp directory, a temp folder has been created but files were not extracted.

From Url zip file or .tar.gz gives the following error:

http://ftp.drupal.org/files/projects/date-7.x-2.0-alpha4.zip could not be saved to temporary://update-cache-df65a3f9/date-7.x-2.0-alpha4.zip.
Unable to retrieve Drupal project from http://ftp.drupal.org/files/projects/date-7.x-2.0-alpha4.zip.

There is a difference in how .tar.gz files are uploaded and installed compared to .zip files in the /modules/system/system.archiver.inc the __construct functions are different and the zip __construct has a todo :

public function __construct($file_path) {
    $this->zip = new ZipArchive();
    if ($this->zip->open($file_path) !== TRUE) {
      // @todo: This should be an interface-specific exception some day.
      throw new Exception(t('Cannot open %file_path', array('%file_path' => $file_path)));
    }
  }

Reopening, see above post.

Changed line 113 in /modules/system/system.archiver.inc so it was hard coded to the temp directory and the zip file is extracted successfully :

$this->zip->extractTo("C:/zpanel/temp/update-extraction-df65a3f9/");

C:/zpanel/temp/update-extraction-df65a3f9/date/
Directory date was created and filled with the module's files.

So my guess the $path variable that is normally passed to the extractTo is incorrect for open_base_dir restrictions...

added the following line under the extractTo command above :

throw new Exception(t($path));

so i can see the $path variable which is :

temporary://update-extraction-df65a3f9

so the temporary:// is most likely causing issues with the open_base_dir restrictions...

If you need to play with a drupal site i can set you one up on my hosting server with accesses to the files database and drupal admin user...

I've changed $this->zip->extractTo($path) to $this->zip->extractTo(drupal_realpath($path)) and it now works perfectly!

I'm just about to leave work now and won't get a chance to work on this until Friday most likely... Thanks for changing the title as per the handbook, sorry i've only recently joined the community and have alot of work and reading to do by the looks of things...

So uploading .tar.gz and .zip with that change now work fine, but installing from URLs won't work still:

    http://ftp.drupal.org/files/projects/google_analytics-7.x-1.2.zip could not be saved to temporary://update-cache-df65a3f9/google_analytics-7.x-1.2.zip.
    Unable to retrieve Drupal project from http://ftp.drupal.org/files/projects/google_analytics-7.x-1.2.zip.

I might need to do some research into that one like the .zip...

Also phpinfo for my server here:

http://zpanel.kevandrews.co.uk/apps/phpinfo/

Didn't spot that... how have you got that printed out?

The open base dir i can get from the vhost file as i have root access to the server, here it is:

DocumentRoot "D:/Websites/zadmin/drupal_kevandrews_co_uk"
php_admin_value open_basedir "D:/Websites/zadmin/drupal_kevandrews_co_uk/;C:/ZPanel/temp/;"

Open base dir are set per vhost as the server software i'm using is for a multi hosting enviroment, its for server security, if i don't have this set there is a security risk that clients on my free hosting platform could get out of their folder and change system files of my server if they knew how... (someone managed it a while back)

I have tried setting the temp directory to the following and none made any difference before doing the change you asked me to do:

tmp/
sites/default/files
C:/ZPanel/temp/

drupal.kevandrews.co.uk

username : drupal
password : drupal

I have taken out the drupal_realpath fix you suggested, have a play...

ftp info

server : kevandrews.co.uk
username : drupal
password : drupal

I'll leave this up till midnight tomorrow for anyone to test on.

Note:

    Warning: ZipArchive::extractTo() [ziparchive.extractto]: open_basedir restriction in effect. File(temporary://update-extraction-df65a3f9/date) is not within the allowed path(s): (D:/Websites/zadmin/drupal_kevandrews_co_uk/;C:/ZPanel/temp/;/tmp/) in ArchiverZip->extract() (line 113 of D:\Websites\zadmin\drupal_kevandrews_co_uk\modules\system\system.archiver.inc).
    date-7.x-2.0-alpha4.zip does not contain any .info files.

Not all the modules have this random \ in the path..

php bugs for open_basedir :
https://bugs.php.net/search.php?cmd=display&search_for=open_basedir&x=0&y=0

don't know if there is anything there of any help?

Installed Drupal 7.8 on Zpanel 6.1.1 which has PHP 5.3.5.

Enabled the update manager so i could install modules. (install module link is missing without this enabled by default)

Got the following error on the top of the install module page (not done anything on that page yet)

    Warning: realpath(): open_basedir restriction in effect. File(C:\ZPanel\panel\temp\updA056.tmp) is not within the allowed path(s): (C:/ZPanel/hostdata/zadmin/drupal_co_uk;C:/ZPanel/panel/temp/) in DrupalLocalStreamWrapper->getLocalPath() (line 369 of C:\ZPanel\hostdata\zadmin\drupal_co_uk\includes\stream_wrappers.inc).
    Warning: realpath(): open_basedir restriction in effect. File(C:\ZPanel\panel\temp) is not within the allowed path(s): (C:/ZPanel/hostdata/zadmin/drupal_co_uk;C:/ZPanel/panel/temp/) in DrupalLocalStreamWrapper->getLocalPath() (line 372 of C:\ZPanel\hostdata\zadmin\drupal_co_uk\includes\stream_wrappers.inc).
    Warning: realpath(): open_basedir restriction in effect. File(C:\ZPanel\panel\temp) is not within the allowed path(s): (C:/ZPanel/hostdata/zadmin/drupal_co_uk;C:/ZPanel/panel/temp/) in DrupalLocalStreamWrapper->getLocalPath() (line 374 of C:\ZPanel\hostdata\zadmin\drupal_co_uk\includes\stream_wrappers.inc).
    Warning: fileowner(): stat failed for temporary://updA056.tmp in update_manager_local_transfers_allowed() (line 906 of C:\ZPanel\hostdata\zadmin\drupal_co_uk\modules\update\update.manager.inc).

vhost settings:

DocumentRoot "C:/ZPanel/hostdata/zadmin/drupal_co_uk"
php_admin_value open_basedir "C:/ZPanel/hostdata/zadmin/drupal_co_uk;C:/ZPanel/panel/temp/"
php_admin_value upload_tmp_dir "C:/ZPanel/panel/temp/"

Changed the temporary directory in drupal config file manager to :
sites/default/files

the error has now gone away at the top of the install module page

Try to install a .zip file module from the local machine using the browse option gives the same error still:

    Warning: ZipArchive::extractTo(): open_basedir restriction in effect. File(temporary://update-extraction-f01de952/google_analytics) is not within the allowed path(s): (C:/ZPanel/hostdata/zadmin/drupal_co_uk;C:/ZPanel/panel/temp/) in ArchiverZip->extract() (line 112 of C:\ZPanel\hostdata\zadmin\drupal_co_uk\modules\system\system.archiver.inc).
    google_analytics-7.x-1.2.zip does not contain any .info files.

So this is an issue on both php 5.2.* and 5.3.* with the open_basedir setting....

Also just run a test on Drupal 8 now i have worked out have to find the installation link for modules on a clean install, get the same error:

    Warning: ZipArchive::extractTo(): open_basedir restriction in effect. File(temporary://update-extraction-3d94ff6a/devel) is not within the allowed path(s): (C:/ZPanel/hostdata/zadmin/drupal_com;C:/ZPanel/panel/temp/) in ArchiverZip->extract() (line 112 of C:\ZPanel\hostdata\zadmin\drupal_com\modules\system\system.archiver.inc).
    devel-8.x-1.x-dev.zip does not contain any .info files.

settings for this installation :

DocumentRoot "C:/ZPanel/hostdata/zadmin/drupal_com"
php_admin_value open_basedir "C:/ZPanel/hostdata/zadmin/drupal_com;C:/ZPanel/panel/temp/"
php_admin_value upload_tmp_dir "C:/ZPanel/panel/temp/"

drupal temp in config set to :
sites/default/files

Ok i can't think of any more tests to run.. but there is definatly an issue with how ZipArchiver works with the open_base_dir seeing as using drupal realpath in the $path seems to fix installing zips and getting files straight from the url fail as well..

If more tests need doing let me know or use the drupal installation in post #15

I've tested on php 5.3.6 and php 5.2.14 I would like to upgrade my stack on the development box at home to php 5.2.17 just to make sure they haven't already fixed this.. I also don't think they are running fixes for php 5.2.* any more so this may only get fixed in 5.3.*....

I'll also test the latest version of 5.3.* today and let you know, I'll use the attached files and post results.

If this hasn't been fixed in the latest versions will we be looking at a work around for drupal in the meanwhile or just waiting for PHP to fix the bug and release a new version?

Cheers, i'll structure some tests, i have a feeling this may have something to do with we are using the setting per VHOST instead of in the php.ini.

I'm going to test both the above then different versions of php to see if i can narrow down the possible causes and update here. Once narrowed i'll take this to php.net

Thanks for your e-mail brad, don't worry about time, I know how limited "spare" time gets...

I've run out of time to test this for the time being, i'll pick this back up next week.
Wolfflow thanks for finding the related issues, i'll have a read over them.

Update: This is a windows only issue by the looks of things. I just installed on CentOS with the open_basedir restriction in place in the httpd-vhosts.conf file exactly the same as the windows server and drupal uses FTP access instead... can this not be enabled for drupal on windows per installation basis?

I personally haven't worked on drupal core yet and am only trying to get a resolution on this so it will work correctly inside a windows multi-hosting environment. Would you have time to do this? I'm also not sure on what sort of resolution people would want in the core.. (in other words the new guy doesn't want to start changing things yet).

Also the only reason i can see that this is a windows only issue is that when installed on linux Drupal requires ftp details to your server to install from a url or file, where as windows uses file upload...

So if I change the file ownership to the webserver user then I will be able to test the same process on linux that windows uses? I'll try and test tonight. Also i'll have a look at testing PHP SSH2 ..

My post #4 shows the errors when uploading .zip files and using install from URL with both .zip and .tar.gz files. So it would need to be used in a max of three places. Even if we could get a patch people could use / install to fix this I would be happy...

Just to reclarify:

.zip browse and upload - fails
.zip + .tar.gz from url - fails

.tar.gz from file upload - works
general file uploads in druapl - work fine
image upload in drupal - work fine

So it would only be the two above processes using drupal_realpath if anyone decided that was the way to go...