TYPO3 Core

I can confirm this issue with 4.4.5 on Debian Lenny. The install tool shows no version number when safe mode is enabled.

Safe mode off:
ImageMagick path: /usr/local/php/bin/ (6.3.7)

Safe mode on:
ImageMagick path: /usr/local/php/bin/ ()

Problem might exist in "t3lib/class.t3lib_div.php" in function "imageMagickCommand" or "unQuoteFilenames"

4.4.4 returns
/usr/local/php/bin/gm identify -version

4.4.5 returns
'/usr/local/php/bin/gm' identify -version

Because 4.4.5 fixes some security issues - a hotfix (4.4.6) would be nice.
This bug blocks our rollout.

Same here. 4.4.6 is definitely needed.

Duplicate of 16755: Thumbnail generation fails

There is also a patch to solve this problem.

This bug also isn't fixed with TYPO3 4.4.6.

The complete rollout of the security fixes is still BLOCKED by this bug for nearly ONE MONTH. Is there any chance that this will fixed soon?

The real problem here is safe_mode. PHP documentation advises for some years to not use this as it is a failed attempt to make a magic switch for a safe environment and currently creates a false sense of safety.
safe_mode is deprecated as of PHP 5.3.0 and PHP 5.2.x is end of life; so the PHP programmers don't support it anymore.

If you host your own website, turn safe_mode off and use the different options to configure a restricted environment. If you use a hosting company, talk to them and point them to the PHP documentation to convince them to configure PHP better and turn of safe_mode. If they won't turn it off, consider changing hosting company.

Seriously, safe_mode causes more problems than it solves and it is not necessary to safely run TYPO3.

Yes, SAFE_MODE is deprecated but currently the only possibility to limit the exec directory (safe_mode_exec_dir).

Many hosters still rely on SAFE_MODE and a security/minor update of TYPO3 SHOULD NOT break the whole system.

If TYPO3 doesn't work with PHP 5.2.x and/or SAFE_MODE please update the TYPO3 system requirements - but don't change major requirements for minor updates!

Also the TYPO3 installer only warns because of the SAFE_MODE, there is no error or a notice about that TYPO3 doesn't work in SAFE_MODE.

Before that update IM/GM worked fine with TYPO3 in SAFE_MODE.

BTW:
TYPO3 still supports PHP 5.2.x and with this version the SAFE_MODE is not deprecated so please fix this.

I agree with Markus that a minor update shouldn´t break such a basic thing like image generation.

@Markus: Can´t you use the woraround proposed in bug 16755? It works for me.

The patch in #24346 prevents you from using IM/GM if the path to the executable has spaces in it (which is quite common on Windows installations).

The patch in 0016755 works unter unix/linux with safe_mode - however an official sollution is required ASAP.

This bug should be added in the roadmap for 4.4.7 (and maybe others branches).

Is there any progress with this bug? What about TYPO3 4.5? And what about the adding this bug to the roadmap?

TYPO3 4.5 also supports PHP 5.2.0 and there is nothing about safe_mode in the INSTALL.txt.

This bug is still a BLOCKER for our installations.

For 4.5 safe_mode is supported as far as possible. The install tool warns against using safe_mode and advises to switch off the use of IM/GM when safe_mode is enabled. The Reports module also warns when safe_mode is enabled.

The problem with this issue is that it can't be solved for all installations. Quite a few installations have spaces in the path to IM/GM and these paths need quoting. When safe_mode is enable PHP will use escapeshellcmd on the entire command and thus the quotes get escaped. So far there is no solution for this (several people have been looking for a way to solve it).

So the choice is between supporting paths with spaces and safe_mode. For 4.5 the choice is clear and for 4.4 I keep this issue open, hoping that some solution will become available.

Yes, the issue maybe can't be solved for all installations, but hopefully the most installations (on unix/linux) don't use spaces in the path to IM/GM.

A good solution/workaround for the current situation:
TYPO3 can check if safe_mode is active (ini_get?) and use escapeshellcmd instead of escapeshellarg.

So the issue would be fixed for the most installations.

Attached patch is made for trunk.
It only uses escapeshellarg if there is something to escape or if there is whitespace in the path.

At least this can solve the problem for safe_mode when the path doesn't need to be quoted.

It also contains a fix for diacritcs in the path (e.g. characters with umlauts), which was already included in wrapFilename()

Can someone test this with safe_mode enabled on an installation without whitespace in the path to IM/GM?

Test attached patch (made for trunk) please.

Patch tested successfully with TYPO3 4.5.0, safe_mode_exec_dir=/usr/local/bin/php

RFC pending in core list. Votes in core list are welcome!

Patch set 1 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236

Patch set 2 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236

Patch set 3 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236

Review for branch 4.4 at http://review.typo3.org/1457

Markus Blaschke, I wonder, if that blocked your updates for a month, why didn't you pay somebody to resolve the bug earlier?

We noticed the deprecation of safe_mode in PHP 5.3 but not within the TYPO3 project.

With note #13 (and because of other bugs) we moved away from (the buggy) safe_mode in our hosting environment to solve all issues - the only good solution :/

BTW: We used the safe_mode only for safe_mode_exec_dir.

Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/1448

This problem seems not to be typo3 related!!

i was running also into the typo3 problem with filenames ending in f.e.
bin//gm'

i created a simple test script:
$cmd = "'/var/www/sites/asfd.com/safe_mode_exec_dir/identify' '/var/www/asdf.com/typo3logotype.ai'[0]";
echo escapeshellcmd($cmd);

exec($cmd, $ary);
var_dump($ary);
?>

it's completely running in safe_mode_exec_dir.

Just running escapeshellcmd shows the right apostrophe termination. but using exec i get the problem.

investigating this a bit deeper, i find out, that the last ' is masked with \\ so that's why the first ' seems to be deleted by escapeshellcmd()

here is the strace output:
30506 execve("/bin/sh", ["sh", "-c", "/var/www/sites/asdf.com/safe_mode_exec_dir//identify' '/var/www/vhosts/asdf.com/typo3logotype.ai\\'\\[0\\]"], [/* 8 vars */] <unfinished ...>

so i think, the ' in the middle (end of command and first place of argument) are seen as pair for escapeshellcmd.

so the bug seems not to be typo3 related, it seems it is a general php bug.

sorry for my bad english ;)

This issue is still there in 4.7.5. This patch in combination with this http://dl.fc-hosting.de/index.php/jdownload/viewcategory/38-typo3-4-7-x solved the problem, so that Imagemagick could be used in a safe_bin directory when safemode is enabled. How about integrating this into the core? I know safe mode is deprecated, but there a still some hosters who habe that enabled.

Bernhard, safe_mode is not supported anymore by TYPO3. It was more or less supported in 4.5, but support has been dropped in 4.6.