[TYPO3-core] REMINDER RFC #8130: Bug: addService() working with open_basedir and symlink
Xavier Perseguers
typo3 at perseguers.ch
Fri Oct 17 10:52:12 CEST 2008
Hi!
> Xavier Perseguers wrote:
>> Reminder #>=3 (I do not have the first reminder(s) anymore)
>
> The patch becomes obsolete if clean up to t3lib_exec is committed.
> t3lib_exec::_fixPath() will become protected, so it cannot be accessed.
For sure ;-)
> However take a look to that thread. I think I solved this problem in
> other way.
I don't think so, the problem still remains as is_executable does not
stick to the given directory:
$ ls -l /var/www/typo3-exec
lrwxrwxrwx 1 root root 16 2007-09-04 08:47 convert -> /usr/bin/convert
With open_basedir listing /var/www/typo3-exec, the different exec
functions of PHP let you use /var/www/typo3-exec/convert happily but if
you try to check whether you may run the command, namely using
is_executable, then the symbolic link is first resolved to
/usr/bin/convert, then a warning is thrown that open_basedir
restrictions are activated and that /usr/bin is not within the allowed
path(s) and finally is_executable returns FALSE!
--
Xavier Perseguers
http://xavier.perseguers.ch/en/tutorials/typo3.html
More information about the TYPO3-team-core
mailing list