Skip to content

[Process] do not search in $PATH entries not allowed by open_basedir #58008

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Process] do not search in $PATH entries not allowed by open_basedir #58008

wants to merge 1 commit into from

Conversation

xabbuh
Copy link
Member

@xabbuh xabbuh commented Aug 14, 2024

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Issues
License MIT

replaces #57954

The current version of the ExecutableFinder only checks the paths in the open_basedir when set. However, this will cause the ExecutableFinder not find the executable in question if it is in a subfolder of one of the open_basedir paths.

For example the environment might be configured as follows:

  • PATH=/usr/bin
  • open_basedir=/usr

In this case the ExecutableFinder only checks the /usr folder and won't find the binaries in /usr/bin, even though the PHP process would be allowed to access /usr/bin, as the open_basedir restriction allows access to subfolders.

This PR fixes that by always adding the paths from PATH to the directories to be checked.

Note: this is not an issue in Symfony 6.4+. The open_basedir logic does not exist there and thus that problem does not exist there.

@carsonbot carsonbot added this to the 5.4 milestone Aug 14, 2024
@xabbuh xabbuh mentioned this pull request Aug 14, 2024
Closed
fritzmg
fritzmg suggested changes Aug 14, 2024
View reviewed changes
src/Symfony/Component/Process/ExecutableFinder.php
Comment on lines 56 to +58
if (\ini_get('open_basedir')) {
$searchPath = array_merge(explode(\PATH_SEPARATOR, \ini_get('open_basedir')), $extraDirs);
$dirs = [];

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With the new logic $extraDirs do not have to be searched here. Imho #57954 is the correct variant.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#57954 which keeps adding the open_basedir folders as dirs to search in does not make sense.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stof so does this PR now. Symfony 6 and 7 also do not check whether the paths are allowed by open_basedir - the check happens by silencing open_basedir errors when using is_dir and is_executable with @. See

@nicolas-grekas nicolas-grekas mentioned this pull request Sep 17, 2024
Merged
@nicolas-grekas
Copy link
Member

Closing in favor of #58291

nicolas-grekas added a commit that referenced this pull request Sep 17, 2024
@nicolas-grekas
bug #58291 [Process] Fix finding executables independently of open_ba…
796fff2 
…sedir (BlackbitDevs)

This PR was merged into the 5.4 branch.

Discussion
----------

[Process] Fix finding executables independently of open_basedir

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | -
| License       | MIT

This backports #47422 to 5.4, which is a bugfix really.

Instead of #58008 and #57954 /cc `@xabbuh` `@fritzmg`

Commits
-------

4424763 [Process] Fix finding executables independently of open_basedir
@xabbuh xabbuh deleted the pr-57954 branch September 17, 2024 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof left review comments

@fritzmg fritzmg fritzmg requested changes

Assignees
No one assigned
Labels
Bug Process Status: Needs Work
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.
5 participants
@xabbuh @nicolas-grekas @stof @fritzmg @carsonbot