Contrib.social

LocalStream::getLocalPath($uri) does not interpret symlinks correctly

Open on Drupal.org β†’
Created on 17 March 2015, over 10 years ago
Updated 12 June 2025, 12 days ago

The getLocalPath($uri) method on Drupal\Core\StreamWrapper\LocalStream does not handle symlinks correctly, which may cause failed `public://$somepath` (and other) resolutions.

Steps to reproduce:

  • have an external set of files somewhere, say in $HOME/mine, containing $HOME/mine/some.file
  • in the Drupal site, say in $D8, symlink that directory under the public files directory:
    cd $D8
cd sites/default/files
ln -s $HOME/mine
  • at this point, ls $D8/sites/default/files/mine works normally and shows some.file
  • and so does using manual resolution:
    $public = \Drupal::get('@stream_wrapper.public')->realpath();
$path = "$public/mine/some.file";
var_dump(is_readable($path)); // TRUE
  • However, this does not work although it should:
    $path = 'public://mine/some.file';
var_dump(is_readable($path); // FALSE

What happens in getLocalPath() is that it tries to outsmart the file system by double checking real absolute paths, which does not work in the presence of symlinks. Summarizing :

  • $realpath = realpath($path); return the full path of the target
  • $directory = realpath($this->getDirectoryPath); returns the full path above the symlink
  • if (strpos($realpath, $directory) !== 0) return FALSE; assumes full path below symlink contains full path above, which is not true if the symlink is outside the directory.

This check is probably here for a safety reason, however history stops at commit b27e906, for issue #1475020: Convert stream_wrappers.inc to PSR-0 β†’ , so this behavior is earlier (03/2012).

πŸ› Bug report
Status

Postponed: needs info

Version

11.0 πŸ”₯

Component

file system

Created by

πŸ‡«πŸ‡·France fgm Paris, France

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment 12 days ago β†’
    πŸ‡¦πŸ‡ΊAustralia kim.pepper πŸ„β€β™‚οΈπŸ‡¦πŸ‡ΊSydney, Australia

    I reviewed this issue as part of Bug Smash Initiative.

    I did not try to reproduce this locally. It looks like the code is almost identical to when the issue was posted.

    Unfortunately there is no context to that change to inform whether it is intended behavior for security reasons.

    It would be helpful to have an automated test to prove the bug exists.

    I'm changing to PMNI to get feedback from the OP and see if it is still occurring.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024