Changeset 55425

Timestamp:

02/26/2023 03:17:45 PM (2 years ago)

Author:

SergeyBiryukov

Message:

Upgrade/Install: Introduce WP_Automatic_Updater::is_allowed_dir() method.

As part of determining whether to perform automatic updates, WordPress checks if it is running within a version-controlled environment, recursively looking up the filesystem to the top of the drive, looking for a Subversion, Git, Mercurial, or Bazaar directory, erring on the side of detecting a VCS checkout somewhere.

This commit avoids a PHP warning if the open_basedir directive is in use and any of the directories checked in the process are not allowed:

is_dir(): open_basedir restriction in effect. File(/.git) is not within the allowed path(s)

Follow-up to [25421], [25700], [25764], [25835], [25859].

Props costdev, markjaquith, meyegui, dd32, arnolp, robin-labadie, hellofromTonya, afragen, pbiron, SergeyBiryukov.
Fixes #42619.

Location:

trunk

Files:

• src/wp-admin/includes/class-wp-automatic-updater.php (modified) (2 diffs)
• tests/phpunit/tests/admin/wpAutomaticUpdater.php (modified) (1 diff)

trunk/src/wp-admin/includes/class-wp-automatic-updater.php

@@ -58 +58 @@
 
     /**
+     * Checks whether access to a given directory is allowed.
+     *
+     * This is used when detecting version control checkouts. Takes into account
+     * the PHP `open_basedir` restrictions, so that WordPress does not try to access
+     * directories it is not allowed to.
+     *
+     * @since 6.2.0
+     *
+     * @param string $dir The directory to check.
+     * @return bool True if access to the directory is allowed, false otherwise.
+     */
+    public function is_allowed_dir( $dir ) {
+        if ( is_string( $dir ) ) {
+            $dir = trim( $dir );
+        }
+
+        if ( ! is_string( $dir ) || '' === $dir ) {
+            _doing_it_wrong(
+                __METHOD__,
+                sprintf(
+                    /* translators: %s: The "$dir" argument. */
+                    __( 'The "%s" argument must be a non-empty string.' ),
+                    '$dir'
+                ),
+                '6.2.0'
+            );
+
+            return false;
+        }
+
+        $open_basedir = ini_get( 'open_basedir' );
+
+        if ( empty( $open_basedir ) ) {
+            return true;
+        }
+
+        $open_basedir_list = explode( PATH_SEPARATOR, $open_basedir );
+
+        foreach ( $open_basedir_list as $basedir ) {
+            if ( '' !== trim( $basedir ) && str_starts_with( $dir, $basedir ) ) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
      * Checks for version control checkouts.
      *
@@ -103 +151 @@
         foreach ( $vcs_dirs as $vcs_dir ) {
             foreach ( $check_dirs as $check_dir ) {
-                $checkout = @is_dir( rtrim( $check_dir, '\\/' ) . "/$vcs_dir" );
+                if ( ! $this->is_allowed_dir( $check_dir ) ) {
+                    continue;
+                }
+
+                $checkout = is_dir( rtrim( $check_dir, '\\/' ) . "/$vcs_dir" );
                 if ( $checkout ) {
                     break 2;

trunk/tests/phpunit/tests/admin/wpAutomaticUpdater.php

@@ -573 +573 @@
         );
     }
+
+    /**
+     * Tests that `WP_Automatic_Updater::is_allowed_dir()` returns true
+     * when the `open_basedir` directive is not set.
+     *
+     * @ticket 42619
+     *
+     * @covers WP_Automatic_Updater::is_allowed_dir
+     */
+    public function test_is_allowed_dir_should_return_true_if_open_basedir_is_not_set() {
+        $this->assertTrue( self::$updater->is_allowed_dir( ABSPATH ) );
+    }
+
+    /**
+     * Tests that `WP_Automatic_Updater::is_allowed_dir()` returns true
+     * when the `open_basedir` directive is set and the path is allowed.
+     *
+     * Runs in a separate process to ensure that `open_basedir` changes
+     * don't impact other tests should an error occur.
+     *
+     * This test does not preserve global state to prevent the exception
+     * "Serialization of 'Closure' is not allowed" when running in
+     * a separate process.
+     *
+     * @ticket 42619
+     *
+     * @covers WP_Automatic_Updater::is_allowed_dir
+     *
+     * @runInSeparateProcess
+     * @preserveGlobalState disabled
+     */
+    public function test_is_allowed_dir_should_return_true_if_open_basedir_is_set_and_path_is_allowed() {
+        // The repository for PHPUnit and test suite resources.
+        $abspath_parent      = trailingslashit( dirname( ABSPATH ) );
+        $abspath_grandparent = trailingslashit( dirname( $abspath_parent ) );
+
+        $open_basedir_backup = ini_get( 'open_basedir' );
+        // Allow access to the directory one level above the repository.
+        ini_set( 'open_basedir', wp_normalize_path( $abspath_grandparent ) );
+
+        // Checking an allowed directory should succeed.
+        $actual = self::$updater->is_allowed_dir( wp_normalize_path( ABSPATH ) );
+
+        ini_set( 'open_basedir', $open_basedir_backup );
+
+        $this->assertTrue( $actual );
+    }
+
+    /**
+     * Tests that `WP_Automatic_Updater::is_allowed_dir()` returns false
+     * when the `open_basedir` directive is set and the path is not allowed.
+     *
+     * Runs in a separate process to ensure that `open_basedir` changes
+     * don't impact other tests should an error occur.
+     *
+     * This test does not preserve global state to prevent the exception
+     * "Serialization of 'Closure' is not allowed" when running in
+     * a separate process.
+     *
+     * @ticket 42619
+     *
+     * @covers WP_Automatic_Updater::is_allowed_dir
+     *
+     * @runInSeparateProcess
+     * @preserveGlobalState disabled
+     */
+    public function test_is_allowed_dir_should_return_false_if_open_basedir_is_set_and_path_is_not_allowed() {
+        // The repository for PHPUnit and test suite resources.
+        $abspath_parent      = trailingslashit( dirname( ABSPATH ) );
+        $abspath_grandparent = trailingslashit( dirname( $abspath_parent ) );
+
+        $open_basedir_backup = ini_get( 'open_basedir' );
+        // Allow access to the directory one level above the repository.
+        ini_set( 'open_basedir', wp_normalize_path( $abspath_grandparent ) );
+
+        // Checking a directory not within the allowed path should trigger an `open_basedir` warning.
+        $actual = self::$updater->is_allowed_dir( '/.git' );
+
+        ini_set( 'open_basedir', $open_basedir_backup );
+
+        $this->assertFalse( $actual );
+    }
+
+    /**
+     * Tests that `WP_Automatic_Updater::is_allowed_dir()` throws `_doing_it_wrong()`
+     * when an invalid `$dir` argument is provided.
+     *
+     * @ticket 42619
+     *
+     * @covers WP_Automatic_Updater::is_allowed_dir
+     *
+     * @expectedIncorrectUsage WP_Automatic_Updater::is_allowed_dir
+     *
+     * @dataProvider data_is_allowed_dir_should_throw_doing_it_wrong_with_invalid_dir
+     *
+     * @param mixed $dir The directory to check.
+     */
+    public function test_is_allowed_dir_should_throw_doing_it_wrong_with_invalid_dir( $dir ) {
+        $this->assertFalse( self::$updater->is_allowed_dir( $dir ) );
+    }
+
+    /**
+     * Data provider.
+     *
+     * @return array[]
+     */
+    public function data_is_allowed_dir_should_throw_doing_it_wrong_with_invalid_dir() {
+        return array(
+            // Type checks and boolean comparisons.
+            'null'                              => array( 'dir' => null ),
+            '(bool) false'                      => array( 'dir' => false ),
+            '(bool) true'                       => array( 'dir' => true ),
+            '(int) 0'                           => array( 'dir' => 0 ),
+            '(int) -0'                          => array( 'dir' => -0 ),
+            '(int) 1'                           => array( 'dir' => 1 ),
+            '(int) -1'                          => array( 'dir' => -1 ),
+            '(float) 0.0'                       => array( 'dir' => 0.0 ),
+            '(float) -0.0'                      => array( 'dir' => -0.0 ),
+            '(float) 1.0'                       => array( 'dir' => 1.0 ),
+            'empty string'                      => array( 'dir' => '' ),
+            'empty array'                       => array( 'dir' => array() ),
+            'populated array'                   => array( 'dir' => array( ABSPATH ) ),
+            'empty object'                      => array( 'dir' => new stdClass() ),
+            'populated object'                  => array( 'dir' => (object) array( ABSPATH ) ),
+            'INF'                               => array( 'dir' => INF ),
+            'NAN'                               => array( 'dir' => NAN ),
+
+            // Ensures that `trim()` has been called.
+            'string with only spaces'           => array( 'dir' => '   ' ),
+            'string with only tabs'             => array( 'dir' => "\t\t" ),
+            'string with only newlines'         => array( 'dir' => "\n\n" ),
+            'string with only carriage returns' => array( 'dir' => "\r\r" ),
+        );
+    }
 }