The Archive_Tar library uses some functions which do not support stream wrappers, particularly dirname.

When called from update_manager_archive_extract, it is possible to pass a directory of the form: temporary://folder-that-does-not-exists/otherfolder as the directory parameter. This will cause Archive_Tar->_checkDir to attempt to create the folder 'temporary:' (which it won't be able to do) since it uses dirname to determine the parent directories of the extract location, and create them if they don't exist.

This doesn't show up as a bug in core (currently) as all calls of update_manager_archive_extract first call _update_manager_extract_directory which will create the directory if it doesn't exist. However, I feel that for completeness and robustness' sakes, we should avoid calling archiver->extract on streamwrapper style paths.

I'm attaching a patch to update.manager.inc that will remove the one location I see right now.

CommentFileSizeAuthor
#4 drupal-realpath-1379082-4.patch555 bytesmandar.harkare
use-realpaths-for-archiver-calls.patch527 bytesjec006
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

parthipanramesh’s picture

parthipanramesh CreditAttribution: parthipanramesh commented
Issue summary: View changes
Status: Needs review » Reviewed & tested by the community

Good! Patch does work fine.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented
Version: 7.x-dev » 8.x-dev
Status: Reviewed & tested by the community » Needs work
Issue tags: +Needs backport to D7

Guess that's reasonable, but would need to go into Drupal 8 first.

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein commented

Also, the code comment needs a bit of work for grammar and to follow coding standards (https://drupal.org/coding-standards/docs#inline).

mandar.harkare’s picture

mandar.harkare CreditAttribution: mandar.harkare commented
FileSize
drupal-realpath-1379082-4.patch555 bytes
mandar.harkare’s picture

mandar.harkare CreditAttribution: mandar.harkare commented
Status: Needs work » Needs review

marvil07 queued 4: drupal-realpath-1379082-4.patch for re-testing.

marvil07’s picture

marvil07 CreditAttribution: marvil07 commented
Status: Needs review » Reviewed & tested by the community

Seems fine.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Category: Feature request » Bug report
Issue tags: +Needs tests

This looks like a bug and tests would be great.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Status: Reviewed & tested by the community » Needs work

re #8 and therefore this issue needs work.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.9.x-dev » 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.2.x-dev » 9.3.x-dev

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

smustgrave’s picture

smustgrave CreditAttribution: smustgrave at Mobomo commented
Status: Needs work » Postponed (maintainer needs more info)

The function appears to have been updated several times

$extract_location = $directory . '/' . $project;
  if (file_exists($extract_location)) {
    try {
      \Drupal::service('file_system')->deleteRecursive($extract_location);
    }
    catch (FileException $e) {
      // Ignore failed deletes.
    }
  }

This current code before $archiver->extract($directory); appears to check the path.

Do you still experience this issue?

quietone’s picture

quietone CreditAttribution: quietone at PreviousNext commented
Status: Postponed (maintainer needs more info) » Closed (outdated)
Issue tags: +Bug Smash Initiative

Confirmation that this problem still exists has not been provided. And as pointed out in #21, there are not checks on the existence of the path.

Therefore, closing as outdated.