Make WordPress Core

Opened 5 weeks ago

Closed 3 weeks ago

Last modified 3 weeks ago

#61834 closed defect (bug) (fixed)

class-wp-site-health-auto-updates.php triggers error when basedir restrictions in effect

Reported by: keffr3n's profile Keffr3n Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.7 Priority: normal
Severity: normal Version: 6.6.1
Component: Filesystem API Keywords: has-patch needs-testing
Focuses: Cc:

Description

Hello, for security reasons, the php pools serving my wordpress instances are isolated with open_basedir directive.
For site example.com, it's basedir is fixed to /www/example.com.

But in class-wp-site-health-auto-updates.php, paths outside this directory are tested: /.git, /www/.git and this throws errors.
instead of testing with is_dir, could you test also for access? like with is_readable()?

Attachments (1)

basedir error.webp (39.4 KB) - added by Keffr3n 5 weeks ago.

Download all attachments as: .zip

Change History (7)

This ticket was mentioned in PR #7153 on WordPress/wordpress-develop by @narenin.


5 weeks ago
#1

  • Keywords has-patch added

#2 @jrf
5 weeks ago

  • Focuses php-compatibility removed
  • Keywords needs-testing added; changes-requested removed

#3 @SergeyBiryukov
5 weeks ago

  • Milestone changed from Awaiting Review to 6.7

#4 in reply to: ↑ description @SergeyBiryukov
3 weeks ago

Hi there, thanks for the ticket! I was able to reproduce the issue. For anyone testing, note that the warning here may not be displayed on screen due to this test being performed via a REST API request, for which display_errors is off by default in wp_debug_mode(), so make sure to check the error log.

Replying to Keffr3n:

instead of testing with is_dir, could you test also for access? like with is_readable()?

In my testing, is_readable() appears to throw the same warning. However, we did resolve a similar issue previously in [55425] / #42619, so we can reuse WP_Automatic_Updater::is_allowed_dir() here.

#5 @SergeyBiryukov
3 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 58921:

Site Health: Check if the directories are allowed when testing for a VCS checkout.

As part of determining whether to perform automatic updates, WordPress checks if it is running within a version-controlled environment, recursively looking up the filesystem to the top of the drive, looking for a Subversion, Git, Mercurial, or Bazaar directory, erring on the side of detecting a VCS checkout somewhere.

This commit reuses WP_Automatic_Updater::is_allowed_dir() in the Site Health test to avoid a PHP warning if the open_basedir directive is in use and any of the directories checked in the process are not allowed:

is_dir(): open_basedir restriction in effect. File(/.git) is not within the allowed path(s)

Follow-up to [44986], [55425].

Props Keffr3n, narenin.
Fixes #61834.

@SergeyBiryukov commented on PR #7153:


3 weeks ago
#6

Thanks for the PR! Merged a slightly different approach in r58921.

Note: See TracTickets for help on using tickets.