Contrib.social

Package Manager should check open_basedir setting + project layout

Open on Drupal.org โ†’
Created on 7 June 2023, over 1 year ago
Updated 9 August 2023, over 1 year ago

Problem/Motivation

After installing automatic updates my site fails the Update readiness checks with the Unable to collect the paths to exclude error.

The particular error is
SplFileInfo::isDir(): open_basedir restriction in effect. File(/home/robbt/web/robbt.net/public_html/..) is not within the allowed path(s): (/home/robbt/.composer:/home/robbt/web/robbt.net/public_html:/home/robbt/web/robbt.net/private:/home/robbt/web/robbt.net/public_shtml:/home/robbt/tmp:/tmp:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt)

I am using HestiaCP which is a open-source control panel that supports Drupal and evidently utilizes open_basedir

Steps to reproduce

Install Drupal 10 & the 3.0.0-alpha2 in a site where open_basedir is utilized.

Proposed resolution

I was informed that open_basedir was possibly deprecated but I haven't confirmed this and it doesn't appear to be based on this site - https://www.php.net/manual/en/ini.core.php#ini.open-basedir

So the solution would be either to explicitly explain how open_basedir is not supported or to provide a workaround in the code that allows automatic updates to collect the paths to exclude even when there is an open_basedir restriction in place or to document how to work around it.

Remaining tasks

User interface changes

API changes

Data model changes

๐Ÿ“Œ Task
Status

Needs work

Version

3.0

Component

Package Manager

Created by

๐Ÿ‡บ๐Ÿ‡ธUnited States robbt

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @robbt
  • Assigned to tedbow
  • Comment over 1 year ago โ†’
    ๐Ÿ‡ง๐Ÿ‡ชBelgium wim leers Ghent ๐Ÿ‡ง๐Ÿ‡ช๐Ÿ‡ช๐Ÿ‡บ

    AFAICT this means we need to add a validator for this.

    I think we need this logic (pseudocode!):

    1. IF ($project root !== $web_root)
    2. AND IF (isset($open_base_dir))
    3. AND IF ($project_root !== $open_basedir)

    THEN throw a validation error, because Automatic Updates cannot possibly work.

    Simultaneously we should ensure that if the project root is the web root, that we do not try to access the parent, because then we're violating the open_basedir restriction unnecessarily.

  • Comment over 1 year ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States tedbow Ithaca, NY, USA
  • Comment over 1 year ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia omkar.podey

    omkar.podey โ†’ made their first commit to this issueโ€™s fork.

  • Assigned to omkar.podey
  • Comment over 1 year ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia omkar.podey

    I'll start writing the validator based on Wim's pseudocode using ini_get('open_basedir') to get all paths that are defined.

  • Open in Jenkins โ†’ Open on Drupal.org โ†’
    Core: 10.1.x + Environment: PHP 8.1 & MySQL 8
    last update over 1 year ago
    810 pass, 2 fail
  • @omkarpodey opened merge request.
  • Issue was unassigned.
  • Status changed to Needs work over 1 year ago
  • Comment over 1 year ago โ†’
    ๐Ÿ‡ฎ๐Ÿ‡ณIndia omkar.podey

    @robbt, thanks for reporting this, I have a few questions , so we always want to always search paths inside of the project root, so did your site run at all with open_basedir set ? , other reason could be public and private file paths as our validators would look at those, i would like to know if this is set $settings['file_private_path'] and to what value ?

  • Comment over 1 year ago โ†’
    ๐Ÿ‡บ๐Ÿ‡ธUnited States robbt

    So the site has been running fine with open_basedir set. I did not set the file_private_path and the public path is just sites/default/files

    It appears to want to check the directory above the directory where composer.json etc. is installed.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024