Bug #85174
closedopen_basedir prevents executing of cli commands
100%
Description
If I use the TYPO3\CMS\Core\Utility\CommandUtility::getCommand() Method and /usr/lib/ or other lib dirs are not in the defined open_basedir path TYPO3 would not execute a command even if it is possible.
The checkCommand() Method called by the getCommand() Method tries to validate the given path "/usr/lib" for example, open_basedir prevents access to this directory for the is_dir() method in initPaths() on Line 325 and 338. So the paths are not valid to execute so the foreach part in checkCommand() is skipped.
After the foreach TYPO3 tries to get the cmd by executing the "which" command. This will return something like /usr/bin/jpegoptim. The next steps cant work cause the is_executable check will also fail on the open_basedir restriction. Even if this check is removed the following will not work cause the $cmd var is overwritten.
$cmd = 'jpegoptim'; becomes $cmd = '/usr/bin/jpegoptim'; so the following code does not the expected:
self::$applications[$cmd]['app'] = $cmd;
self::$applications[$cmd]['path'] = dirname($cmd) . '/';
self::$applications[$cmd]['valid'] = true;
return true;
the array key is wrong and the app cmd which will be concatenated with the path in the getCommand() method becomes /usr/bin//usr/bin/jpegoptim
So the correct code should be something like:
$fullCmd = @self::exec('which ' . $cmd);
if ($fullCmd) {
self::$applications[$cmd]['app'] = basename($fullCmd);
self::$applications[$cmd]['path'] = dirname($fullCmd) . '/';
self::$applications[$cmd]['valid'] = true;
return true;
}
with this code the correct cmd will be executed even if open_basedir prevents access to /usr/bin/. Add /usr/bin to open_basedir should be no secure solution.
Updated by Gerrit Code Review over 1 year ago
- Status changed from New to Under Review
Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79892
Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79892
Updated by Gerrit Code Review over 1 year ago
Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79892
Updated by Gerrit Code Review over 1 year ago
Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/79865
Updated by Susanne Moog over 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset e97960ffe7d4764eccd1f5c51ca63def62869214.