Bug #24346

Thumbnail generation fails

Added by Markus Kurde almost 6 years ago. Updated over 3 years ago.

Status:Resolved Start date:2010-12-16
Priority:Should have Due date:
Assigned To:- % Done:

0%

Category:- Spent time: -
Target version:-
TYPO3 Version:4.4 Complexity:
PHP Version:5.2 Is Regression:
Tags: Sprint Focus:

Description

In class.t3lib_div.php :: imageMagickCommand the php function "escapeshellarg" is used instead of "escapeshellcmd". This lead to an invalid imagemagick convert argument. escapeshellarg stips out single-quotes of the asterix in the argument,.

Example:
BAD:
/usr/bin/convert +profile * -sample 56x56 /home/www/xxxx/fileadmin/user_upload/content_images/2007-02.png\[0\] /home/www/xxxx/typo3temp/tmb_cc4b193897.gif': No such file or directory

GOOD:
/usr/bin/convert +profile '*' -sample 56x56 /home/www/xxxx/fileadmin/user_upload/content_images/2007-02.png\[0\] /home/www/xxxx/typo3temp/tmb_cc4b193897.gif': No such file or directory

see add. info for patch!!

Index: class.t3lib_div.php ===================================================================
--- class.t3lib_div.php (Revision 9811)
++ class.t3lib_div.php (Arbeitskopie)
@ -6191,12 +6191,12 @
// Compile the path & command
if ($im_version === 'gm') {
$switchCompositeParameters = TRUE;
- $path = escapeshellarg($path . 'gm' . $isExt) . ' ' . $command;
$path = escapeshellcmd($path . 'gm' . $isExt) . ' ' . $command;
} else {
if ($im_version === 'im6') {
$switchCompositeParameters = TRUE;
}
- $path = escapeshellarg($path . (($command 'composite') ? $combineScript : $command) . $isExt);
+ $path = escapeshellcmd($path . (($command 'composite') ? $combineScript : $command) . $isExt);
}

// strip profile information for thumbnails and reduce their size
(issue imported from #M16755)

16755_TYPO3-4.5.0.patch Magnifier (2.1 kB) Administrator Admin, 2011-02-01 17:03


Related issues

related to Core - Bug #17489: Install Tool image tests fail when there are spaces in th... Resolved 2007-07-19
related to Core - Bug #24369: No image generation with PHP-SAFE_MODE (GM/IM) Resolved 2010-12-20
related to Core - Bug #24281: ImageMagick does not work with quotes in exec() path on W... Resolved 2010-12-03
related to Core - Bug #24904: Image generation broken with safe_mode on Resolved 2011-01-31

History

#1 Updated by Ernesto Baschny almost 6 years ago

How come this affects the "+profile" part if the escapeshellarg() you are refering to in the additional info is only around the CMD part? In your case it is:

/usr/bin/convert

Can you give more information on how to reproduce that?

#2 Updated by Jan Radecker almost 6 years ago

It's not a problem with the argument but with the command itself.
escapeshellarg() adds single quotes around the command

So instead /usr/bin/gm it's now '/usr/bin/gm' including (!) single quotes.

At least with safe_mode turned on, the command is no longer valid.
The message "No such file or directory" in the error log refers to the malformed command, which is not found.

To clarify this, escapeshellarg() is simply the wrong function here because it's supposed to escape ARGUMENTS not the command.
It's better to use escapecmd() instead.

#3 Updated by Sebastian Enders almost 6 years ago

Patch is working for me fine!

Thanks!

Why doen't anybody check if everthing is working in safe_mode.
That is not the first time, that something isn't working after an update.

#4 Updated by Markus Kurde almost 6 years ago

Jan is right. I was mislead by my solution. The escapeshellarg() just wraps around the command.

Additionally I forgot to mention that the save_mode is turned on. Thanks Jan.

@admin: maybe someone can update my initial bug report and add those.

#5 Updated by Rafal Brzeski almost 6 years ago

Thanks for the patch !
This is the real problem.

#6 Updated by Robert Gonda over 5 years ago

Why is not resolved in 4.4.6?

#7 Updated by Steffen Gebert over 5 years ago

Because #24281, which aims to solve this, is not fixed, yet.

There are lots of problems with different environments, esp. Windows or safe_mode enabled.

#8 Updated by Robert Gonda over 5 years ago

Thank you, I understand.

#9 Updated by Larsen no-lastname-given over 5 years ago

With TYPO3 4.5.0 the file to be patched is now: t3lib/utility/class.t3lib_utility_command.php

#10 Updated by Jan Radecker over 5 years ago

  1. No tumbnails are generated if safe_mode is on
    Since TYPO3 4.4.5 image generation is broken if safe_mode is on.
    This was introduced with http://bugs.typo3.org/view.php?id=6001 which solves an issue with whitespace in "im_path" (which seems to be widely used on Windows).
  1. No thumbnails are generated if im_path contains non-ASCII characters.
    $TYPO3_CONF_VARS['GFX']["im_path"] containing german umlauts did not work because escapeshellarg()/escapeshellcmd() strips non-ASCII character if wrong or no Locale set.
  1. No thumbnails are generated for images with non-ASCII characters in filename.
    With safe_mode = on exec() calls escapeshellcmd() implicitly wich strips out non-ASCII characters if no or wrong Locale set.

For TYPO3 4.5.0 this patch (16755_TYPO3-4.5.0.patch) solves that issues by setting LC_CTYPE to the value defined in $TYPO3_CONF_VARS['SYS']['systemLocale'].
$TYPO3_CONF_VARS['SYS']['UTF8filesystem'] must be set to 1 and $TYPO3_CONF_VARS['SYS']['systemLocale'] must be set to something reasonable (like 'de_DE.UTF-8').

This patch was tested on Debian Linux 5 running PHP 5.2.6 =========================================================
$TYPO3_CONF_VARS['GFX']["im_path"] containing no whitespace AND "safe_mode = off" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing whitespace AND "safe_mode = off" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing no whitespace AND "safe_mode = on" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing whitespace AND "safe_mode = on" does NOT work, but also did not work without patch - seems to be unsolvable.

This patch was tested on Windows XP running PHP 5.3.3 (XAMPP) =========================================================
$TYPO3_CONF_VARS['GFX']["im_path"] containing no whitespace AND "safe_mode = off" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing whitespace AND "safe_mode = off" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing no whitespace AND "safe_mode = on" does not work, but also did not work without patch - seems to be unsolvable.
$TYPO3_CONF_VARS['GFX']["im_path"] containing whitespace AND "safe_mode = on" does NOT work, but also did not work without patch - seems to be unsolvable.

#11 Updated by Thomas Hirt over 5 years ago

With TYPO3 4.5.0 the file to be patched is now: t3lib/utility/class.t3lib_utility_command.php

Thanks a lot!
This patch saved my life!
It works perfectly now with safe mode on.

#12 Updated by Stefan Neufeind about 5 years ago

  • Target version deleted (0)

I don't think the patch can really work as is because it escapes the path on the top and later uses the (already escaped) patch to call GM/IM:

- $path = escapeshellarg($path . 'gm' . $isExt) . ' ' . $command;
+ $path = $path . 'gm' . $isExt . ' ' . $command;

Issue says that escapeshellcmd() should be used, which sounds logical and might possibly be a good idea but wouldn't enclose a patch with spaces. (Which would also make exec fail.)

In #24281 (which is already marked resolved/was commited) a patch went into TYPO3 where on WIN for PHP <5.3.0 quotes were used and issue says this solves the special case.

(Another side-note is that #25332 removed safe-mode-support at least for TYPO3 v4.6 anyhow.)

Imho because of the code already in TYPO3 4.5 and 4.6 from #24281 we should be able to close this issue here if I understand right (no old PHP on Windows available to test). Somebody who spoke up in this issue here please retest with a current TYPO3-version and say if any further fixes (like proposed here) are needed or if the current TYPO3-code (because of fixed #24281) already works out of the box.

#13 Updated by Jan Radecker about 5 years ago

Yes i know, safe_mode support is going to be dropped with TYPO3 4.6, but for now and TYPO3 4.5 it should still be possible to use safe_mode.

Stock TYPO3 4.5.3 still does not generate images with safe_mode on (running Debian Llinux PHP 5.2 or 5.3).

Problem is still the same, the misusage of escapeshellarg() breaks correct escaping in safe_mode. See http://forge.typo3.org/issues/24904

Since my patch (http://forge.typo3.org/attachments/16792/17419.diff) was declined by the core team i do not have a better solution than to patch every new TYPO3 core over and over again...

#14 Updated by Stefan Neufeind over 4 years ago

Is this solved with #24369 maybe?

#15 Updated by Jan Radecker over 4 years ago

Problem was solved (at least for me) by http://forge.typo3.org/issues/24369

Image generation now does work with safe_mode turned on using Debian 5 & 6 (did not test any other OS so far).

#16 Updated by Chris topher over 3 years ago

  • Status changed from New to Resolved

Current versions of TYPO3 do no longer support safe_mode.

Also available in: Atom PDF