FileSystem::mkdir() should handle open_basedir correctly

Created on 13 September 2016, over 8 years ago
Updated 6 June 2024, 7 months ago

In settings.php, the private file path is documented with "This directory must be absolute, ...". However, an absolute path does not work when drupal runs on a shared host and access to the parent directories is not possible.

Example:
• a shared host with drupal root /var/www/ud17_276/html/drupal
• web server root is /var/www/ud17_276/html
• shared host root is /var/www/ud17_276, i.e., this part is not visible for the space admin, and thus neither for drupal
• in settings.php:
$settings['file_private_path'] = '/var/www/ud17_276/files/drupal-private';

If a drupal user tries to upload a file, by creating a node of a content type having a file field with private storage configured, drupal tries to create the full parent path, /var/www/ud17_276, which obviously will fail. The error message in the log is:

"The upload directory private://2016-09 for the file field field_privimage could not be created or is not accessible. A newly uploaded file could not be saved in this directory as a consequence, and the upload was canceled."

Configuring the shared host's users relative root, like
$settings['file_private_path'] = '/files/drupal-private';
does also not work. The only way this seems to work currently is a relative path:

$settings['file_private_path'] = '../../files/drupal-private';

Hence, either the code documentation in settings.php should be updated to include this case, or the coding has to be changed to be able to deal with shared hosting. (Unfortunately, due to lack of php knowledge, I cannot judge these options.)

Best, Tobias

🐛 Bug report
Status

Needs work

Version

11.0 🔥

Component
File system 

Last updated 3 days ago

Created by

🇩🇪Germany tobias-hd

Live updates comments and jobs are added and updated live.
  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇺🇸United States smustgrave

    This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.

    The issue summary should be updated to clearly show what the proposed solution is, remaining tasks, etc

    -        usleep((int) (($time_to_start - microtime(TRUE)) * 1000000));
    +        usleep((int) (($time_to_start - microtime(TRUE)) * 5000000));
    

    Not sure if this is in scope?

    But as a bug this will need a test case showing the issue.

  • 🇨🇦Canada bohemier Québec city, Qc

    Thanks for the patch, without it, it is impossible to handle securing private files outside of the webroot with the open_basedir directive. After applying it, wet can set private and tmp using relative directories, such as:

    ```
    $settings['file_private_path'] = '../../private';
    $settings['file_temp_path'] = '../../tmp';
    ```

  • 🇬🇧United Kingdom egfrith

    After some time getting to the bottom of #3411785, I would hope that we could get this sorted out. @smustgrave: is it possible to set up open_basedir in the testing environment? If not, I'm not clear how a test could be created for this issue.

  • Issue was unassigned.
  • 🇮🇹Italy apaderno Brescia, 🇮🇹

    I use shared hosting for a site, but I am able to use absolute paths, even when I set the file private path. Maybe the issue summary should explain when there are issues with using absolute paths.

  • 🇩🇪Germany C.Riemer

    #21 saved my day!

  • 🇫🇷France O'Briat Nantes

    Patch #54 generate a segmentation fault if you try to create an folder with an empty name (infinite recursion).

    drush ev '$f = Drupal::service("file_system");$dir="";var_dump($f->mkdir($dir, 1));'
    Segmentation fault
    
  • 🇮🇹Italy apaderno Brescia, 🇮🇹
Production build 0.71.5 2024