Contrib.social

FileSystem::mkdir should handle open_basedir correctly

Open on Drupal.org ā†’
Created on 13 September 2016, over 7 years ago
Updated 27 May 2024, 5 days ago

In settings.php, the private file path is documented with "This directory must be absolute, ...". However, an absolute path does not work when drupal runs on a shared host and access to the parent directories is not possible.

Example:
ā€¢ a shared host with drupal root /var/www/ud17_276/html/drupal
ā€¢ web server root is /var/www/ud17_276/html
ā€¢ shared host root is /var/www/ud17_276, i.e., this part is not visible for the space admin, and thus neither for drupal
ā€¢ in settings.php:
$settings['file_private_path'] = '/var/www/ud17_276/files/drupal-private';

If a drupal user tries to upload a file, by creating a node of a content type having a file field with private storage configured, drupal tries to create the full parent path, /var/www/ud17_276, which obviously will fail. The error message in the log is:

"The upload directory private://2016-09 for the file field field_privimage could not be created or is not accessible. A newly uploaded file could not be saved in this directory as a consequence, and the upload was canceled."

Configuring the shared host's users relative root, like
$settings['file_private_path'] = '/files/drupal-private';
does also not work. The only way this seems to work currently is a relative path:

$settings['file_private_path'] = '../../files/drupal-private';

Hence, either the code documentation in settings.php should be updated to include this case, or the coding has to be changed to be able to deal with shared hosting. (Unfortunately, due to lack of php knowledge, I cannot judge these options.)

Best, Tobias

šŸ› Bug report
Status

Needs work

Version

11.0 šŸ”„

Component
File systemĀ  ā†’

Last updated 1 day ago

Created by

šŸ‡©šŸ‡ŖGermany tobias-hd

Live updates comments and jobs are added and updated live.
  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment about 1 year ago ā†’
    šŸ‡ŗšŸ‡øUnited States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request ā†’ as a guide.

    The issue summary should be updated to clearly show what the proposed solution is, remaining tasks, etc

    -        usleep((int) (($time_to_start - microtime(TRUE)) * 1000000));
+        usleep((int) (($time_to_start - microtime(TRUE)) * 5000000));

    Not sure if this is in scope?

    But as a bug this will need a test case showing the issue.

  • Comment 11 months ago ā†’
    šŸ‡ØšŸ‡¦Canada bohemier

    Thanks for the patch, without it, it is impossible to handle securing private files outside of the webroot with the open_basedir directive. After applying it, wet can set private and tmp using relative directories, such as:

    ```
    $settings['file_private_path'] = '../../private';
    $settings['file_temp_path'] = '../../tmp';
    ```

  • Comment 5 months ago ā†’
    šŸ‡¬šŸ‡§United Kingdom egfrith

    After some time getting to the bottom of #3411785, I would hope that we could get this sorted out. @smustgrave: is it possible to set up open_basedir in the testing environment? If not, I'm not clear how a test could be created for this issue.

  • Issue was unassigned.
  • Comment 5 months ago ā†’
    šŸ‡®šŸ‡¹Italy apaderno Brescia, šŸ‡®šŸ‡¹

    I use shared hosting for a site, but I am able to use absolute paths, even when I set the file private path. Maybe the issue summary should explain when there are issues with using absolute paths.

  • Comment 5 days ago ā†’
    šŸ‡©šŸ‡ŖGermany C.Riemer

    #21 saved my day!

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024