Private stream wrapper is not safe for mkdir() function calls

@Peter Majmesku, is this a problem?

There has been no activity here for 2 years, except 10 months ago to ask for steps to reproduce. We need that information to confirm the problem and write tests.

If you are experiencing this problem on a supported version of Drupal reopen the issue, by setting the status to 'Active', and provide complete steps to reproduce the issue → (starting from "Install Drupal core").

Since we need more information to move forward with this issue, I am keeping the status at Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.

Thanks!

I am encountering this same issue. I am digging into it, and can reproduce it in my environment.

This is my analysis:
* I'm trying to upload a file into Drupal via the UI
* this causes FileSystem::prepareDirectory() to be called with $uri = 'private://2023-05'
* my private location is '/var/www/html/private-files' (which exists and is readable/writable by the PHP process)
* prepareDirectory() calls FileSystem::mkdir(), which calls FileSystem::mkdirCall() in the StreamWrapperManager::getScheme branch.
* mkdirCall calls back into FileSystem::mkdir()
* now mkdir() tries to create the directory recursively. In checking file_exists('/var'), it receives FALSE, even though /var exists and is readable by the PHP user.
* This is where I'm stuck - I don't know why file_exists is returning FALSE. I've tried calling clearstatcache just prior to the file_exists, but file_exists still returns FALSE. I've tried calling file_exists('/var') from a PHP script invoked using 'drush scr myscript.php' - it receives TRUE (and so does not reproduce the issue).
* Applying patch #6 fixes the issue for me. Drupal successfully creates private://2023-05 (aka /var/www/html/private-files/2023-05) and the upload succeeds. This is evidence that the issue is within Drupal and is not a result of an directory permission issue.

This is the stack trace at the point that file_exists('/var') returns FALSE:

┆ 6609 #0 /var/www/html/web/core/lib/Drupal/Core/StreamWrapper/LocalStream.php(346): Drupal\Core\File\FileSystem->mkdir()\n
┆ 6610 #1 [internal function]: Drupal\Core\StreamWrapper\LocalStream->mkdir()\n
┆ 6611 #2 /var/www/html/web/core/lib/Drupal/Core/File/FileSystem.php(255): mkdir()\n
┆ 6612 #3 /var/www/html/web/core/lib/Drupal/Core/File/FileSystem.php(188): Drupal\Core\File\FileSystem->mkdirCall()\n
┆ 6613 #4 /var/www/html/web/core/lib/Drupal/Core/File/FileSystem.php(538): Drupal\Core\File\FileSystem->mkdir()\n
┆ 6614 #5 /var/www/html/web/core/modules/file/file.module(1437): Drupal\Core\File\FileSystem->prepareDirectory()\n
┆ 6615 #6 /var/www/html/web/core/modules/file/src/Element/ManagedFile.php(76): file_managed_file_save_upload()\n
┆ 6616 #7 /var/www/html/web/core/modules/file/src/Plugin/Field/FieldWidget/FileWidget.php(329): Drupal\file\Element\ManagedFile::valueCallback()\n
┆ 6617 #8 [internal function]: Drupal\file\Plugin\Field\FieldWidget\FileWidget::value()\n
(I'm omitting the rest of the stack trace as the above is the relevant part).

@jdhildeb, thanks for details!

I am setting this back to active and updated the IS.

I have reproduced on a fresh drupal install, so hopefully someone with more knowledge of drupal filesystems can help investigate further.

Marking active and leaving as "major" because the only reasonable workaround is to upload files to public filesystem, which is not a good option if you are dealing with sensitive documents.

this breaks http://drupal.org/project/filecache.

it can no longer make directories.

"PHP message: Exception: Could not create cache folder /drupal959/html/modules/contrib/filecache/src/Cache/FileSystemBackend.php on line 349 #0 /druapl959/html/modules/contrib/filecache/src/Cache/FileSystemBackend.php(141): Drupal\filecache\Cache\FileSystemBackend->ensureCacheFolderExists('content_block_p...')

As of 10.4.3, I can't reproduce this issue using the steps above. In my project, the patch is no longer required in order for FileSystem->mkdir() to succeed when using private:// URIs. Furthermore, the patch caused other code to fail when trying to create a directory within /tmp.

I am closing this issue, as I believe it has been fixed.