Project

General

Profile

Actions

Bug #81115

closed

TYPO3-Exception in BE-Log due to "PHP Warning: is_file(): open_basedir restriction in effect"

Added by Stephan Großberndt almost 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2016-11-28
Due date:
2016-11-28
% Done:

0%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.0
Tags:
Complexity:
Is Regression:
Yes
Sprint Focus:

Description

  • Disable debugging of backend: $GLOBALS['TYPO3_CONF_VARS']['BE']['debug'] = '0'
  • Open the BE-Log module

If there is a PHP open_basedir restriction in effect (/var/www/project.lan/www/:/var/www/project.lan/tmp/:/var/www/project.lan/typo3_src-8.7.1) this results in a TYPO3 Exception:

Uncaught TYPO3 Exception

#1476107295: PHP Warning: is_file(): open_basedir restriction in effect. File(/var/www/project.lan/www/../typo3temp/assets/compressed/ext-all-notheme-bfc978ca680a482b551d4897f90e29d2.css) is not within the allowed path(s): (/var/www/project.lan/www/:/var/www/project.lan/tmp/:/var/www/project.lan/typo3_src-8.7.1) in /var/www/project.lan/typo3_src-8.7.1/typo3/sysext/core/Classes/Resource/ResourceCompressor.php line 440 (More information)

21 is_file("/var/www/project.lan/www/../typo3temp/assets/compres…t-all-notheme-bfc978ca680a482b551d4897f90e29d2.css")
/var/www/project.lan/typo3_src-8.7.1/typo3/sysext/core/Classes/Resource/ResourceCompressor.php:
00438:     // if the file is an absolute reference within the docRoot
00439:     $absolutePath = $docRoot . '/' . $fileNameWithoutSlash;
00440:     if (is_file($absolutePath)) {
00441:       if (strpos($absolutePath, $this->rootPath) === 0) {

20 TYPO3\CMS\Core\Resource\ResourceCompressor::getFilenameFromMainDir("../typo3temp/assets/compressed/ext-all-notheme-bfc978ca680a482b551d4897f90e29d2.css")
/var/www/project.lan/typo3_src-8.7.1/typo3/sysext/core/Classes/Resource/ResourceCompressor.php:
00120:       $filenameFromMainDir = $this->getFilenameFromMainDir($fileOptions['file']);

19 TYPO3\CMS\Core\Resource\ResourceCompressor::concatenateCssFiles(array, array)
/var/www/project.lan/typo3_src-8.7.1/typo3/sysext/core/Classes/Page/PageRenderer.php:
02522:         $this->cssLibs = $this->getCompressor()->concatenateCssFiles($this->cssLibs, $cssOptions);

18 TYPO3\CMS\Core\Page\PageRenderer::doConcatenateCss()
/var/www/project.lan/typo3_src-8.7.1/typo3/sysext/core/Classes/Page/PageRenderer.php:
02474:     $this->doConcatenateCss();

17 TYPO3\CMS\Core\Page\PageRenderer::doConcatenate()
/var/www/project.lan/typo3_src-8.7.1/typo3/sysext/core/Classes/Page/PageRenderer.php:
01846:       $this->doConcatenate();

16 TYPO3\CMS\Core\Page\PageRenderer::renderJavaScriptAndCss()
/var/www/project.lan/typo3_src-8.7.1/typo3/sysext/core/Classes/Page/PageRenderer.php:
01753:     list($jsLibs, $jsFiles, $jsFooterFiles, $cssLibs, $cssFiles, $jsInline, $cssInline, $jsFooterInline, $jsFooterLibs) = $this->renderJavaScriptAndCss();

15 TYPO3\CMS\Core\Page\PageRenderer::render(2)
/var/www/project.lan/typo3_src-8.7.1/typo3/sysext/backend/Classes/Template/ModuleTemplate.php:
00344:     $renderedPage .= $this->pageRenderer->render(PageRenderer::PART_FOOTER);

14 TYPO3\CMS\Backend\Template\ModuleTemplate::renderContent()

This happends due to #78803 (https://review.typo3.org/#/c/50921).

During the first run of the PageRenderer the CSS files in $this->cssLibs are concatenated and compressed. In PageRenderer->doCompressCss() the paths to $this->cssLibs are updated:

$this->cssLibs = $this->getCompressor()->compressCssFiles($this->cssLibs);

These updated paths eventually come from ResourceCompressor->returnFileReference() which returns a path relative to typo3/ - meaning

typo3temp/assets/compressed/ext-all-notheme-bfc978ca680a482b551d4897f90e29d2.css
becomes
../typo3temp/assets/compressed/ext-all-notheme-bfc978ca680a482b551d4897f90e29d2.css

mind the prepended ../!

The PageRenderer is then called a second time to render the footer with $this->pageRenderer->render(PageRenderer::PART_FOOTER)

In this second run $this->cssLibs contains

array(2) {
  ["../typo3temp/assets/compressed/ext-all-notheme-bfc978ca680a482b551d4897f90e29d2.css"]=>
  array(9) {
    ["file"]=>
    string(83) "../typo3temp/assets/compressed/ext-all-notheme-bfc978ca680a482b551d4897f90e29d2.css" 
    ["rel"]=>
    string(10) "stylesheet" 
    ["media"]=>
    string(3) "all" 
    ["title"]=>
    string(0) "" 
    ["compress"]=>
    bool(false)
    ["forceOnTop"]=>
    bool(false)
    ["allWrap"]=>
    string(0) "" 
    ["excludeFromConcatenation"]=>
    bool(false)
    ["splitChar"]=>
    string(1) "|" 
  }
  ["../typo3temp/assets/compressed/xtheme-t3skin-6bc61e26702e182f975dfafe91e5d724.css"]=>
  array(9) {
    ["file"]=>
    string(81) "../typo3temp/assets/compressed/xtheme-t3skin-6bc61e26702e182f975dfafe91e5d724.css" 
    ["rel"]=>
    string(10) "stylesheet" 
    ["media"]=>
    string(3) "all" 
    ["title"]=>
    string(0) "" 
    ["compress"]=>
    bool(false)
    ["forceOnTop"]=>
    bool(false)
    ["allWrap"]=>
    string(0) "" 
    ["excludeFromConcatenation"]=>
    bool(false)
    ["splitChar"]=>
    string(1) "|" 
  }
}

These paths are once again handed over to the ResourceCompressor which tries to determine the file path using ResourceCompressor->getFilenameFromMainDir(), in which the patch #50921 added an is_file check - see https://review.typo3.org/#/c/50921/2/typo3/sysext/core/Classes/Resource/ResourceCompressor.php

    protected function getFilenameFromMainDir($filename)
    {
        /*
         * The various paths may have those values (e.g. if TYPO3 is installed in a subdir)
         * - docRoot = /var/www/html/
         * - PATH_site = /var/www/html/sites/site1/
         * - $this->rootPath = /var/www/html/sites/site1/typo3
         *
         * The file names passed into this function may be either:
         * - relative to $this->rootPath
         * - relative to PATH_site
         * - relative to docRoot
         */
        $docRoot = GeneralUtility::getIndpEnv('TYPO3_DOCUMENT_ROOT');
        $fileNameWithoutSlash = ltrim($filename, '/');

        // if the file is an absolute reference within the docRoot
        $absolutePath = $docRoot . '/' . $fileNameWithoutSlash;
        if (is_file($absolutePath)) {
            if (strpos($absolutePath, $this->rootPath) === 0) {
                // the path is within the current root path, simply strip rootPath off
                return substr($absolutePath, strlen($this->rootPath));
            }
            // the path is not within the root path, strip off the site path, the remaining logic below
            // takes care about adjusting the path correctly.
            $filename = substr($absolutePath, strlen(PATH_site));
        }
        // if the file exists in the root path, just return the $filename
        if (is_file($this->rootPath . $fileNameWithoutSlash)) {
            return $fileNameWithoutSlash;
        }
        // if the file is from a special TYPO3 internal directory, add the missing typo3/ prefix
        if (is_file(realpath(PATH_site . TYPO3_mainDir . $filename))) {
            $filename = TYPO3_mainDir . $filename;
        }

The filename passed to the function now is ../typo3temp/assets/compressed/xtheme-t3skin-6bc61e26702e182f975dfafe91e5d724.css - and this breaks in

        if (is_file($absolutePath)) {

because the $absolutePath is constructed as

        $absolutePath = '/var/www/project.lan/www/' . '/' . ltrim('../typo3temp/assets/compressed/xtheme-t3skin-6bc61e26702e182f975dfafe91e5d724.css', '/');

Some lines below there is a test if the filename can be found starting from the typo3/-directory, but this is not reached because the exception already fires on if (is_file($absolutePath)) {:

if (is_file(realpath(PATH_site . TYPO3_mainDir . $filename))) {

Changing

        if (is_file($absolutePath)) {

to
        if (@is_file($absolutePath)) {

supressing a warning if the file cannot be found solves the issue, but I am not sure if this is the correct way to solve this - as

  1. The extbase css is added/processed again when rendering the footer - why is it added twice?
  2. In general already processed css should not be processed again - $this->cssLibs should be emptied before?

Related issues 2 (0 open2 closed)

Is duplicate of TYPO3 Core - Bug #81024: getFilenameFromMainDir() triggers PHP Warnings open_basedirClosedChristian Toffolo2016-11-282016-11-28

Actions
Follows TYPO3 Core - Bug #78803: ResourceCompressor can't deal with paths relative to docrootClosedMarkus Klein2016-11-25

Actions
Actions #1

Updated by Stephan Großberndt almost 7 years ago

  • Due date set to 2016-11-28
  • Start date changed from 2017-05-02 to 2016-11-28
  • Follows Bug #78803: ResourceCompressor can't deal with paths relative to docroot added
Actions #2

Updated by Markus Klein almost 7 years ago

  • Is duplicate of Bug #81024: getFilenameFromMainDir() triggers PHP Warnings open_basedir added
Actions #3

Updated by Markus Klein almost 7 years ago

  • Status changed from New to Closed
Actions

Also available in: Atom PDF