WordPress.org

Make WordPress Core

Opened 2 years ago

Last modified 21 months ago

#42619 new defect (bug)

WordPress tries to access /home/.bzr but to no avail

Reported by: meyegui Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.9
Component: Upgrade/Install Keywords: needs-patch
Focuses: Cc:
PR Number:

Description

Hi,

I'm getting the following error in my logs. I'm aware that I have open_basedir enabled, but I don't think WordPress should try to read files outside its installation directory. If I'm mistaken, I'm sorry and I'll be glad to receive any explanation as to why.

This bug doesn't generate any visible error or message other than this log, so I would definitely consider it "low severity". The log file was generated by a plugin of mine, but as you can see, the error doesn't occur in my own files. It's located in a core file.

Here's what I get in my log file:

[14:35:04]	
******************
PHP SHUTDOWN ERROR

Type: 2
Message: is_dir(): open_basedir restriction in effect. File(/home/.bzr) is not within the allowed path(s): (/home/httpd/vhosts/[hidden]/:/tmp/)
File: /home/httpd/vhosts/[hidden]/subdomains/[hidden]/wp-admin/includes/class-wp-automatic-updater.php:98
******************

Best regards

Change History (2)

#1 @meyegui
21 months ago

Still happening in WordPress 4.9.2.

Any idea why WP would try to read that file?

#2 @dd32
21 months ago

  • Component changed from General to Upgrade/Install
  • Keywords needs-patch added

Hi @meyegui and welcome to Trac.

I'd like to apologise for this ticket not getting a response until now.

This is caused by WordPress checking to see if it's running within a version-controlled environment, and avoiding autoupdating if that's the case.
The code responsible for this is located here: https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/class-wp-automatic-updater.php?marks=74-106#L58

WordPress doesn't take into consideration the PHP open_basedir setting, which causes it to process further up the path list than expected.

#35536 is a related ticket, where it processes up into completely invalid directories.

If you're curious as to why we care about a .git or .bzr file in a /home/username/ folder, it's because we decided to be ultra-conservative and check all the way up to / instead of just the parent directory of WordPress for if it's running within a VCS environment.
We could probably relax this restriction to checking the immediate parent of WordPress only, but that wouldn't take into account some edge-cases of deployment situations, where for example, the VCS files are in the grandparent instead - Like I said, this code was written extremely conservatively.

Fixing this, adding a check to ensure that it's not going to run into an open_basedir restriction would be good, although maybe we can look at relaxing this restriction in the first place at the same time.

Note: See TracTickets for help on using tickets.