Project

General

Profile

Actions

Bug #24369

closed

No image generation with PHP-SAFE_MODE (GM/IM)

Added by Markus Blaschke over 13 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2010-12-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
4.4
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

With PHP in SAFE_MODE all imagemagick/graphicsmagick calls will fail.

TYPO3 Installer:
"Use of ImageMagick has been disabled in the configuration."

Apache error_log:
sh: /share/bin//gm': No such file or directory
sh: /share/bin//convert': No such file or directory
sh: /share/bin//combine': No such file or directory
sh: /share/bin//composite': No such file or directory
sh: /share/bin//identify': No such file or directory

It's fine with 4.4.4 and all images will be generated correctly but not with 4.4.5

(issue imported from #M16785)


Files

16785.patch (3.41 KB) 16785.patch Administrator Admin, 2011-02-05 13:33
16785_v2.patch (3.42 KB) 16785_v2.patch Administrator Admin, 2011-02-11 22:13
16785-4_4-v2.patch (2.91 KB) 16785-4_4-v2.patch Administrator Admin, 2011-02-11 22:13

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #24904: Image generation broken with safe_mode onClosed2011-01-31

Actions
Related to TYPO3 Core - Bug #24346: Thumbnail generation failsClosed2010-12-16

Actions
Has duplicate TYPO3 Core - Bug #24404: TYPO3 4.4.5: Imagemagick isn't vailable in php safe_modeClosedSteffen Gebert2010-12-23

Actions
Actions #1

Updated by Larsen no-lastname-given over 13 years ago

I can confirm this issue with 4.4.5 on Debian Lenny. The install tool shows no version number when safe mode is enabled.

Safe mode off:
ImageMagick path: /usr/local/php/bin/ (6.3.7)

Safe mode on:
ImageMagick path: /usr/local/php/bin/ ()

Actions #2

Updated by Larsen no-lastname-given over 13 years ago

Problem might exist in "t3lib/class.t3lib_div.php" in function "imageMagickCommand" or "unQuoteFilenames"

4.4.4 returns
/usr/local/php/bin/gm identify -version

4.4.5 returns
'/usr/local/php/bin/gm' identify -version

Actions #3

Updated by Markus Blaschke over 13 years ago

Because 4.4.5 fixes some security issues - a hotfix (4.4.6) would be nice.
This bug blocks our rollout.

Actions #4

Updated by Larsen no-lastname-given over 13 years ago

Same here. 4.4.6 is definitely needed.

Actions #5

Updated by Larsen no-lastname-given over 13 years ago

Duplicate of 16755: Thumbnail generation fails

There is also a patch to solve this problem.

Actions #6

Updated by Markus Blaschke over 13 years ago

This bug also isn't fixed with TYPO3 4.4.6.

The complete rollout of the security fixes is still BLOCKED by this bug for nearly ONE MONTH. Is there any chance that this will fixed soon?

Actions #7

Updated by Jigal van Hemert over 13 years ago

The real problem here is safe_mode. PHP documentation advises for some years to not use this as it is a failed attempt to make a magic switch for a safe environment and currently creates a false sense of safety.
safe_mode is deprecated as of PHP 5.3.0 and PHP 5.2.x is end of life; so the PHP programmers don't support it anymore.

If you host your own website, turn safe_mode off and use the different options to configure a restricted environment. If you use a hosting company, talk to them and point them to the PHP documentation to convince them to configure PHP better and turn of safe_mode. If they won't turn it off, consider changing hosting company.

Seriously, safe_mode causes more problems than it solves and it is not necessary to safely run TYPO3.

Actions #8

Updated by Markus Blaschke over 13 years ago

Yes, SAFE_MODE is deprecated but currently the only possibility to limit the exec directory (safe_mode_exec_dir).

Many hosters still rely on SAFE_MODE and a security/minor update of TYPO3 SHOULD NOT break the whole system.

If TYPO3 doesn't work with PHP 5.2.x and/or SAFE_MODE please update the TYPO3 system requirements - but don't change major requirements for minor updates!

Also the TYPO3 installer only warns because of the SAFE_MODE, there is no error or a notice about that TYPO3 doesn't work in SAFE_MODE.

Before that update IM/GM worked fine with TYPO3 in SAFE_MODE.

BTW:
TYPO3 still supports PHP 5.2.x and with this version the SAFE_MODE is not deprecated so please fix this.

Actions #9

Updated by Larsen no-lastname-given over 13 years ago

I agree with Markus that a minor update shouldn´t break such a basic thing like image generation.

@Markus: Can´t you use the woraround proposed in bug 16755? It works for me.

Actions #10

Updated by Jigal van Hemert over 13 years ago

The patch in #24346 prevents you from using IM/GM if the path to the executable has spaces in it (which is quite common on Windows installations).

Actions #11

Updated by Markus Blaschke over 13 years ago

The patch in 0016755 works unter unix/linux with safe_mode - however an official sollution is required ASAP.

This bug should be added in the roadmap for 4.4.7 (and maybe others branches).

Actions #12

Updated by Markus Blaschke over 13 years ago

Is there any progress with this bug? What about TYPO3 4.5? And what about the adding this bug to the roadmap?

TYPO3 4.5 also supports PHP 5.2.0 and there is nothing about safe_mode in the INSTALL.txt.

This bug is still a BLOCKER for our installations.

Actions #13

Updated by Jigal van Hemert over 13 years ago

For 4.5 safe_mode is supported as far as possible. The install tool warns against using safe_mode and advises to switch off the use of IM/GM when safe_mode is enabled. The Reports module also warns when safe_mode is enabled.

The problem with this issue is that it can't be solved for all installations. Quite a few installations have spaces in the path to IM/GM and these paths need quoting. When safe_mode is enable PHP will use escapeshellcmd on the entire command and thus the quotes get escaped. So far there is no solution for this (several people have been looking for a way to solve it).

So the choice is between supporting paths with spaces and safe_mode. For 4.5 the choice is clear and for 4.4 I keep this issue open, hoping that some solution will become available.

Actions #14

Updated by Markus Blaschke over 13 years ago

Yes, the issue maybe can't be solved for all installations, but hopefully the most installations (on unix/linux) don't use spaces in the path to IM/GM.

A good solution/workaround for the current situation:
TYPO3 can check if safe_mode is active (ini_get?) and use escapeshellcmd instead of escapeshellarg.

So the issue would be fixed for the most installations.

Actions #15

Updated by Jigal van Hemert over 13 years ago

Attached patch is made for trunk.
It only uses escapeshellarg if there is something to escape or if there is whitespace in the path.

At least this can solve the problem for safe_mode when the path doesn't need to be quoted.

It also contains a fix for diacritcs in the path (e.g. characters with umlauts), which was already included in wrapFilename()

Can someone test this with safe_mode enabled on an installation without whitespace in the path to IM/GM?

Actions #16

Updated by Jigal van Hemert over 13 years ago

Test attached patch (made for trunk) please.

Actions #17

Updated by Kai Blaschke over 13 years ago

Patch tested successfully with TYPO3 4.5.0, safe_mode_exec_dir=/usr/local/bin/php

Actions #18

Updated by Jigal van Hemert over 13 years ago

RFC pending in core list. Votes in core list are welcome!

Actions #19

Updated by Susanne Moog over 13 years ago

  • Target version deleted (4.4.7)
Actions #20

Updated by Mr. Hudson about 13 years ago

Patch set 1 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236

Actions #21

Updated by Mr. Hudson about 13 years ago

Patch set 2 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236

Actions #22

Updated by Mr. Hudson about 13 years ago

Patch set 3 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236

Actions #23

Updated by Chris topher almost 13 years ago

Review for branch 4.4 at http://review.typo3.org/1457

Actions #24

Updated by Dmitry Dulepov almost 13 years ago

Markus Blaschke, I wonder, if that blocked your updates for a month, why didn't you pay somebody to resolve the bug earlier?

Actions #25

Updated by Markus Blaschke almost 13 years ago

We noticed the deprecation of safe_mode in PHP 5.3 but not within the TYPO3 project.

With note #13 (and because of other bugs) we moved away from (the buggy) safe_mode in our hosting environment to solve all issues - the only good solution :/

BTW: We used the safe_mode only for safe_mode_exec_dir.

Actions #26

Updated by Gerrit Code Review over 12 years ago

  • Status changed from Accepted to Under Review

Patch set 4 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/3236

Actions #27

Updated by Gerrit Code Review over 12 years ago

Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/1448

Actions #28

Updated by Jigal van Hemert over 12 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #29

Updated by Patrick about 12 years ago

This problem seems not to be typo3 related!!

i was running also into the typo3 problem with filenames ending in f.e.
bin//gm'

i created a simple test script:
$cmd = "'/var/www/sites/asfd.com/safe_mode_exec_dir/identify' '/var/www/asdf.com/typo3logotype.ai'[0]";
echo escapeshellcmd($cmd);

exec($cmd, $ary);
var_dump($ary);
?>

it's completely running in safe_mode_exec_dir.

Just running escapeshellcmd shows the right apostrophe termination. but using exec i get the problem.

investigating this a bit deeper, i find out, that the last ' is masked with \\ so that's why the first ' seems to be deleted by escapeshellcmd()

here is the strace output:
30506 execve("/bin/sh", ["sh", "-c", "/var/www/sites/asdf.com/safe_mode_exec_dir//identify' '/var/www/vhosts/asdf.com/typo3logotype.ai\\'\\[0\\]"], [/* 8 vars */] <unfinished ...>

so i think, the ' in the middle (end of command and first place of argument) are seen as pair for escapeshellcmd.

so the bug seems not to be typo3 related, it seems it is a general php bug.

sorry for my bad english ;)

Actions #30

Updated by Bernhard Eckl over 11 years ago

This issue is still there in 4.7.5. This patch in combination with this http://dl.fc-hosting.de/index.php/jdownload/viewcategory/38-typo3-4-7-x solved the problem, so that Imagemagick could be used in a safe_bin directory when safemode is enabled. How about integrating this into the core? I know safe mode is deprecated, but there a still some hosters who habe that enabled.

Actions #31

Updated by Jigal van Hemert over 11 years ago

Bernhard, safe_mode is not supported anymore by TYPO3. It was more or less supported in 4.5, but support has been dropped in 4.6.

Actions #32

Updated by Benni Mack almost 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF