Bug #24346
closed
Thumbnail generation fails
Added by Markus Kurde over 13 years ago.
Updated over 5 years ago.
Description
In class.t3lib_div.php :: imageMagickCommand the php function "escapeshellarg" is used instead of "escapeshellcmd". This lead to an invalid imagemagick convert argument. escapeshellarg stips out single-quotes of the asterix in the argument,.
Example:
BAD:
/usr/bin/convert +profile * -sample 56x56 /home/www/xxxx/fileadmin/user_upload/content_images/2007-02.png\[0\] /home/www/xxxx/typo3temp/tmb_cc4b193897.gif': No such file or directory
GOOD:
/usr/bin/convert +profile '*' -sample 56x56 /home/www/xxxx/fileadmin/user_upload/content_images/2007-02.png\[0\] /home/www/xxxx/typo3temp/tmb_cc4b193897.gif': No such file or directory
see add. info for patch!!
Index: class.t3lib_div.php
===================================================================
--- class.t3lib_div.php (Revision 9811)
++ class.t3lib_div.php (Arbeitskopie)
@ -6191,12 +6191,12 @
// Compile the path & command
if ($im_version === 'gm') {
$switchCompositeParameters = TRUE;
- $path = escapeshellarg($path . 'gm' . $isExt) . ' ' . $command;
$path = escapeshellcmd($path . 'gm' . $isExt) . ' ' . $command;
} else {
if ($im_version === 'im6') {
$switchCompositeParameters = TRUE;
}
- $path = escapeshellarg($path . (($command 'composite') ? $combineScript : $command) . $isExt);
+ $path = escapeshellcmd($path . (($command 'composite') ? $combineScript : $command) . $isExt);
}
// strip profile information for thumbnails and reduce their size
(issue imported from #M16755)
Files
How come this affects the "+profile" part if the escapeshellarg() you are refering to in the additional info is only around the CMD part? In your case it is:
/usr/bin/convert
Can you give more information on how to reproduce that?
It's not a problem with the argument but with the command itself.
escapeshellarg() adds single quotes around the command
So instead /usr/bin/gm it's now '/usr/bin/gm' including (!) single quotes.
At least with safe_mode turned on, the command is no longer valid.
The message "No such file or directory" in the error log refers to the malformed command, which is not found.
To clarify this, escapeshellarg() is simply the wrong function here because it's supposed to escape ARGUMENTS not the command.
It's better to use escapecmd() instead.
Patch is working for me fine!
Thanks!
Why doen't anybody check if everthing is working in safe_mode.
That is not the first time, that something isn't working after an update.
Jan is right. I was mislead by my solution. The escapeshellarg() just wraps around the command.
Additionally I forgot to mention that the save_mode is turned on. Thanks Jan.
@admin: maybe someone can update my initial bug report and add those.
Thanks for the patch !
This is the real problem.
Why is not resolved in 4.4.6?
Because #24281, which aims to solve this, is not fixed, yet.
There are lots of problems with different environments, esp. Windows or safe_mode enabled.
With TYPO3 4.5.0 the file to be patched is now: t3lib/utility/class.t3lib_utility_command.php
- No tumbnails are generated if safe_mode is on
Since TYPO3 4.4.5 image generation is broken if safe_mode is on.
This was introduced with http://bugs.typo3.org/view.php?id=6001 which solves an issue with whitespace in "im_path" (which seems to be widely used on Windows).
- No thumbnails are generated if im_path contains non-ASCII characters.
$TYPO3_CONF_VARS['GFX']["im_path"] containing german umlauts did not work because escapeshellarg()/escapeshellcmd() strips non-ASCII character if wrong or no Locale set.
- No thumbnails are generated for images with non-ASCII characters in filename.
With safe_mode = on exec() calls escapeshellcmd() implicitly wich strips out non-ASCII characters if no or wrong Locale set.
For TYPO3 4.5.0 this patch (16755_TYPO3-4.5.0.patch) solves that issues by setting LC_CTYPE to the value defined in $TYPO3_CONF_VARS['SYS']['systemLocale'].
$TYPO3_CONF_VARS['SYS']['UTF8filesystem'] must be set to 1 and $TYPO3_CONF_VARS['SYS']['systemLocale'] must be set to something reasonable (like 'de_DE.UTF-8').
This patch was tested on Debian Linux 5 running PHP 5.2.6
=========================================================
$TYPO3_CONF_VARS['GFX']["im_path"] containing no whitespace AND "safe_mode = off" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing whitespace AND "safe_mode = off" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing no whitespace AND "safe_mode = on" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing whitespace AND "safe_mode = on" does NOT work, but also did not work without patch - seems to be unsolvable.
This patch was tested on Windows XP running PHP 5.3.3 (XAMPP)
=========================================================
$TYPO3_CONF_VARS['GFX']["im_path"] containing no whitespace AND "safe_mode = off" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing whitespace AND "safe_mode = off" does work.
$TYPO3_CONF_VARS['GFX']["im_path"] containing no whitespace AND "safe_mode = on" does not work, but also did not work without patch - seems to be unsolvable.
$TYPO3_CONF_VARS['GFX']["im_path"] containing whitespace AND "safe_mode = on" does NOT work, but also did not work without patch - seems to be unsolvable.
With TYPO3 4.5.0 the file to be patched is now: t3lib/utility/class.t3lib_utility_command.php
Thanks a lot!
This patch saved my life!
It works perfectly now with safe mode on.
- Target version deleted (
0)
I don't think the patch can really work as is because it escapes the path on the top and later uses the (already escaped) patch to call GM/IM:
- $path = escapeshellarg($path . 'gm' . $isExt) . ' ' . $command;
+ $path = $path . 'gm' . $isExt . ' ' . $command;
Issue says that escapeshellcmd() should be used, which sounds logical and might possibly be a good idea but wouldn't enclose a patch with spaces. (Which would also make exec fail.)
In #24281 (which is already marked resolved/was commited) a patch went into TYPO3 where on WIN for PHP <5.3.0 quotes were used and issue says this solves the special case.
(Another side-note is that #25332 removed safe-mode-support at least for TYPO3 v4.6 anyhow.)
Imho because of the code already in TYPO3 4.5 and 4.6 from #24281 we should be able to close this issue here if I understand right (no old PHP on Windows available to test). Somebody who spoke up in this issue here please retest with a current TYPO3-version and say if any further fixes (like proposed here) are needed or if the current TYPO3-code (because of fixed #24281) already works out of the box.
Yes i know, safe_mode support is going to be dropped with TYPO3 4.6, but for now and TYPO3 4.5 it should still be possible to use safe_mode.
Stock TYPO3 4.5.3 still does not generate images with safe_mode on (running Debian Llinux PHP 5.2 or 5.3).
Problem is still the same, the misusage of escapeshellarg() breaks correct escaping in safe_mode. See http://forge.typo3.org/issues/24904
Since my patch (http://forge.typo3.org/attachments/16792/17419.diff) was declined by the core team i do not have a better solution than to patch every new TYPO3 core over and over again...
Is this solved with #24369 maybe?
Problem was solved (at least for me) by http://forge.typo3.org/issues/24369
Image generation now does work with safe_mode turned on using Debian 5 & 6 (did not test any other OS so far).
- Status changed from New to Resolved
Current versions of TYPO3 do no longer support safe_mode.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by