Bug #24369
closedNo image generation with PHP-SAFE_MODE (GM/IM)
Added by Markus Blaschke almost 14 years ago. Updated about 6 years ago.
100%
Description
With PHP in SAFE_MODE all imagemagick/graphicsmagick calls will fail.
TYPO3 Installer:
"Use of ImageMagick has been disabled in the configuration."
Apache error_log:
sh: /share/bin//gm': No such file or directory
sh: /share/bin//convert': No such file or directory
sh: /share/bin//combine': No such file or directory
sh: /share/bin//composite': No such file or directory
sh: /share/bin//identify': No such file or directory
It's fine with 4.4.4 and all images will be generated correctly but not with 4.4.5
(issue imported from #M16785)
Files
16785.patch (3.41 KB) 16785.patch | Administrator Admin, 2011-02-05 13:33 | ||
16785_v2.patch (3.42 KB) 16785_v2.patch | Administrator Admin, 2011-02-11 22:13 | ||
16785-4_4-v2.patch (2.91 KB) 16785-4_4-v2.patch | Administrator Admin, 2011-02-11 22:13 |
Updated by Larsen no-lastname-given almost 14 years ago
I can confirm this issue with 4.4.5 on Debian Lenny. The install tool shows no version number when safe mode is enabled.
Safe mode off:
ImageMagick path: /usr/local/php/bin/ (6.3.7)
Safe mode on:
ImageMagick path: /usr/local/php/bin/ ()
Updated by Larsen no-lastname-given almost 14 years ago
Problem might exist in "t3lib/class.t3lib_div.php" in function "imageMagickCommand" or "unQuoteFilenames"
4.4.4 returns
/usr/local/php/bin/gm identify -version
4.4.5 returns
'/usr/local/php/bin/gm' identify -version
Updated by Markus Blaschke almost 14 years ago
Because 4.4.5 fixes some security issues - a hotfix (4.4.6) would be nice.
This bug blocks our rollout.
Updated by Larsen no-lastname-given almost 14 years ago
Same here. 4.4.6 is definitely needed.
Updated by Larsen no-lastname-given almost 14 years ago
Duplicate of 16755: Thumbnail generation fails
There is also a patch to solve this problem.
Updated by Markus Blaschke almost 14 years ago
This bug also isn't fixed with TYPO3 4.4.6.
The complete rollout of the security fixes is still BLOCKED by this bug for nearly ONE MONTH. Is there any chance that this will fixed soon?
Updated by Jigal van Hemert almost 14 years ago
The real problem here is safe_mode. PHP documentation advises for some years to not use this as it is a failed attempt to make a magic switch for a safe environment and currently creates a false sense of safety.
safe_mode is deprecated as of PHP 5.3.0 and PHP 5.2.x is end of life; so the PHP programmers don't support it anymore.
If you host your own website, turn safe_mode off and use the different options to configure a restricted environment. If you use a hosting company, talk to them and point them to the PHP documentation to convince them to configure PHP better and turn of safe_mode. If they won't turn it off, consider changing hosting company.
Seriously, safe_mode causes more problems than it solves and it is not necessary to safely run TYPO3.
Updated by Markus Blaschke almost 14 years ago
Yes, SAFE_MODE is deprecated but currently the only possibility to limit the exec directory (safe_mode_exec_dir).
Many hosters still rely on SAFE_MODE and a security/minor update of TYPO3 SHOULD NOT break the whole system.
If TYPO3 doesn't work with PHP 5.2.x and/or SAFE_MODE please update the TYPO3 system requirements - but don't change major requirements for minor updates!
Also the TYPO3 installer only warns because of the SAFE_MODE, there is no error or a notice about that TYPO3 doesn't work in SAFE_MODE.
Before that update IM/GM worked fine with TYPO3 in SAFE_MODE.
BTW:
TYPO3 still supports PHP 5.2.x and with this version the SAFE_MODE is not deprecated so please fix this.
Updated by Larsen no-lastname-given almost 14 years ago
I agree with Markus that a minor update shouldn´t break such a basic thing like image generation.
@Markus: Can´t you use the woraround proposed in bug 16755? It works for me.
Updated by Jigal van Hemert almost 14 years ago
The patch in #24346 prevents you from using IM/GM if the path to the executable has spaces in it (which is quite common on Windows installations).
Updated by Markus Blaschke almost 14 years ago
The patch in 0016755 works unter unix/linux with safe_mode - however an official sollution is required ASAP.
This bug should be added in the roadmap for 4.4.7 (and maybe others branches).
Updated by Markus Blaschke almost 14 years ago
Is there any progress with this bug? What about TYPO3 4.5? And what about the adding this bug to the roadmap?
TYPO3 4.5 also supports PHP 5.2.0 and there is nothing about safe_mode in the INSTALL.txt.
This bug is still a BLOCKER for our installations.
Updated by Jigal van Hemert almost 14 years ago
For 4.5 safe_mode is supported as far as possible. The install tool warns against using safe_mode and advises to switch off the use of IM/GM when safe_mode is enabled. The Reports module also warns when safe_mode is enabled.
The problem with this issue is that it can't be solved for all installations. Quite a few installations have spaces in the path to IM/GM and these paths need quoting. When safe_mode is enable PHP will use escapeshellcmd on the entire command and thus the quotes get escaped. So far there is no solution for this (several people have been looking for a way to solve it).
So the choice is between supporting paths with spaces and safe_mode. For 4.5 the choice is clear and for 4.4 I keep this issue open, hoping that some solution will become available.
Updated by Markus Blaschke almost 14 years ago
Yes, the issue maybe can't be solved for all installations, but hopefully the most installations (on unix/linux) don't use spaces in the path to IM/GM.
A good solution/workaround for the current situation:
TYPO3 can check if safe_mode is active (ini_get?) and use escapeshellcmd instead of escapeshellarg.
So the issue would be fixed for the most installations.
Updated by Jigal van Hemert almost 14 years ago
Attached patch is made for trunk.
It only uses escapeshellarg if there is something to escape or if there is whitespace in the path.
At least this can solve the problem for safe_mode when the path doesn't need to be quoted.
It also contains a fix for diacritcs in the path (e.g. characters with umlauts), which was already included in wrapFilename()
Can someone test this with safe_mode enabled on an installation without whitespace in the path to IM/GM?
Updated by Jigal van Hemert almost 14 years ago
Test attached patch (made for trunk) please.
Updated by Kai Blaschke almost 14 years ago
Patch tested successfully with TYPO3 4.5.0, safe_mode_exec_dir=/usr/local/bin/php
Updated by Jigal van Hemert almost 14 years ago
RFC pending in core list. Votes in core list are welcome!
Updated by Mr. Hudson over 13 years ago
Patch set 1 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236
Updated by Mr. Hudson over 13 years ago
Patch set 2 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236
Updated by Mr. Hudson over 13 years ago
Patch set 3 of change I5d1136899dc2d08bf9a13eb1759e3d767c3295d2 has been pushed to the review server.
It is available at http://review.typo3.org/3236
Updated by Chris topher over 13 years ago
Review for branch 4.4 at http://review.typo3.org/1457
Updated by Dmitry Dulepov about 13 years ago
Markus Blaschke, I wonder, if that blocked your updates for a month, why didn't you pay somebody to resolve the bug earlier?
Updated by Markus Blaschke about 13 years ago
We noticed the deprecation of safe_mode in PHP 5.3 but not within the TYPO3 project.
With note #13 (and because of other bugs) we moved away from (the buggy) safe_mode in our hosting environment to solve all issues - the only good solution :/
BTW: We used the safe_mode only for safe_mode_exec_dir.
Updated by Gerrit Code Review almost 13 years ago
- Status changed from Accepted to Under Review
Patch set 4 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/3236
Updated by Gerrit Code Review over 12 years ago
Patch set 2 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/1448
Updated by Jigal van Hemert over 12 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset f1f493b77f2276f4dc6384b82a6cb14823fc9c74.
Updated by Patrick over 12 years ago
This problem seems not to be typo3 related!!
i was running also into the typo3 problem with filenames ending in f.e.
bin//gm'
i created a simple test script:
$cmd = "'/var/www/sites/asfd.com/safe_mode_exec_dir/identify' '/var/www/asdf.com/typo3logotype.ai'[0]";
echo escapeshellcmd($cmd);
exec($cmd, $ary);
var_dump($ary);
?>
it's completely running in safe_mode_exec_dir.
Just running escapeshellcmd shows the right apostrophe termination. but using exec i get the problem.
investigating this a bit deeper, i find out, that the last ' is masked with \\ so that's why the first ' seems to be deleted by escapeshellcmd()
here is the strace output:
30506 execve("/bin/sh", ["sh", "-c", "/var/www/sites/asdf.com/safe_mode_exec_dir//identify' '/var/www/vhosts/asdf.com/typo3logotype.ai\\'\\[0\\]"], [/* 8 vars */] <unfinished ...>
so i think, the ' in the middle (end of command and first place of argument) are seen as pair for escapeshellcmd.
so the bug seems not to be typo3 related, it seems it is a general php bug.
sorry for my bad english ;)
Updated by Bernhard Eckl about 12 years ago
This issue is still there in 4.7.5. This patch in combination with this http://dl.fc-hosting.de/index.php/jdownload/viewcategory/38-typo3-4-7-x solved the problem, so that Imagemagick could be used in a safe_bin directory when safemode is enabled. How about integrating this into the core? I know safe mode is deprecated, but there a still some hosters who habe that enabled.
Updated by Jigal van Hemert about 12 years ago
Bernhard, safe_mode is not supported anymore by TYPO3. It was more or less supported in 4.5, but support has been dropped in 4.6.