Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Followup of: #1959062: Check safe_mode = Off requirement early
At the moment an exception is thrown on page load when the php open_basedir security setting is activated.
We have to discuss about
- Whether to drop support of open_basedir and add an requirement check on installation.
(as it is not really secure and can be bypassed by php extensions quite easily) - Whether to keep support of open_basedir and resolve the fatal bug we currently have when it's enabled.
(as there are a lot of people who like open_basedir as an easy way to secure their php installation)
Comment | File | Size | Author |
---|---|---|---|
#30 | 2019911-30.patch | 735 bytes | johnmcc |
#26 | 2019911-26.patch | 736 bytes | johnmcc |
Comments
Comment #0.0
patrickd CreditAttribution: patrickd commentedMore highlighting
Comment #1
John Pitcairn CreditAttribution: John Pitcairn commentedPlease keep support and resolve the bug. Many hosting providers and IT departments insist on open_basedir being on, regardless of whether it provides any real security. It is not deprecated in current php versions.
Hosting providers may be able to be persuaded to turn it off, or we can choose a different provider. But in the case of in-house IT departments, we will have to tell the client project lead that we cannot use Drupal 8, because according to their IT department it requires an "insecure" php configuration. There is generally no arguing with IT. Ouch.
Comment #2
brad.bulger CreditAttribution: brad.bulger commentedresolving "the bug" is not a straightforward task. repeating from #1959062-18: Check safe_mode = Off requirement early:
testing that glob() has not returned FALSE in InstallStorage->getComponentNames() prevents that exception. that looks like a PHP bug - https://bugs.php.net/bug.php?id=47358
instead, the installation fails in "Verify requirements" (core/install.php?langcode=en&profile=standard) with the message
additionally, a number of contributed libraries are at least potentially vulnerable to that PHP bug, and we can't fix their code directly if that turns out to be a problem.
Comment #3
dcrocks CreditAttribution: dcrocks commentedClosed #2032907: OPEN_BASEDIR set causes drupal 8 install fail as duplicate of this. And since this stops install of D8, I think we should raise priority to get some attention.
Comment #4
kingfisher64 CreditAttribution: kingfisher64 commentedBeen referred here from https://drupal.org/node/2030407. Getting the following error:
Warning: Invalid argument supplied for foreach() in Drupal\Core\Config\InstallStorage->getComponentNames() (line 138 of core/lib/Drupal/Core/Config/InstallStorage.php
Would it be better to merge the above thread into this one or vice versa to keep it to just one thread?
Comment #5
pantherqin CreditAttribution: pantherqin commentedSo is there a quick fix for this bug? How could I install the current dev version of drupal 8 while facing this critical bug?
Thanks!
Comment #6
dcrocks CreditAttribution: dcrocks commentedSet "open_basedir" to off in your php.ini file.
Comment #7
kingfisher64 CreditAttribution: kingfisher64 commentedSurely the solution of having to changes a system's default php setup to allow drupal 8 installation isn't a fix.
Is this is not a case of it just not being fixed yet or come first official release are we all going to be confronted with this issue?
I'm somewhat confused as to whether this is a bug or a general way of working with 8.
Tried for a few months now to install 8 dev and it just fails.
Many thanks for any replies.
Comment #8
patrickd CreditAttribution: patrickd commentedper default the open_basedir setting is not turned on in php, so that's not an issue.
whether it's a bug depends on whether we support the open_basedir option.
if we decide that we just don't support it, because it sucks anyway and gives people a wrong feeling of security -> it's not a bug
if we decide to support it - but it currently does not work -> it is a bug
Comment #9
kingfisher64 CreditAttribution: kingfisher64 commented@patrickd - thank you for taking the time to clarify what's happening.
So who is deciding if this is to be supported? Is it the community or a specific set of individuals? I'd really like to test 8 out along with some of the pre existing modules to report bugs etc.
Thanks again
Comment #10
patrickd CreditAttribution: patrickd commentedeither we find a common consensus or one of the core committers / dries will decide on this.
you are totally welcome to test as much as you want right now, if you don't get it working locally and can't find out why you can still use online services such as simplytest.me or register your own sandbox on pantheon, acquia etc.
(lets not get this discussion too off topic)
Comment #11
dcrocks CreditAttribution: dcrocks commentedThis might not be getting much attention because it may be filed under the wrong component. It seems obvious that it is a 'base system' problem but it could be interpreted in other ways. An extreme would be to file it as a security issue, ie, supporting 'open_basedir' could raise security issues. But since it prevents install we might get more attention by filing it there. The only other thing would be to assign it to one of the maintainers, but I'm not sure of what the etiquette is for that.
Comment #12
kingfisher64 CreditAttribution: kingfisher64 commentedThank you for the advice, I have 8 running nicely now, so can help testing new modules out.
Come to the forefront mr decision maker and give this a little attention :)
Comment #13
valdir.marcos CreditAttribution: valdir.marcos commentedPlease, take a look at "Warning: Invalid argument supplied for foreach() in Drupal\Core\Config\InstallStorage->getComponentNames()".
Comment #14
marcingy CreditAttribution: marcingy commentedDon't touch versions
Comment #15
jenlamptonI just wanted to add that I don't think the stated exception (see comment #15) is actually realated to an
open_basedir
setting at all.I'm getting that exact same error (see below) and my
open_basedir
is currently set tono value
.I am still looking for a solution to my problem, but I don't think it's this.
The patch provided in comment #19 in the other issue did not prevent these errors.
Comment #16
dcrocks CreditAttribution: dcrocks commentedIf yours isn't an open_basedir problem, shouldn't it be a separate issue? Though the relevant discussion in #1959062: Check safe_mode = Off requirement early(comments 12-28) certainly would add to this issue.
Comment #17
samhassell CreditAttribution: samhassell commented@jenlampton - my open_basedir was disabled / commented out in php.ini and I was getting the error. I then set it specifically to 'off' and the error went away. So it is somehow related i think.
Comment #18
Antonín Slejška CreditAttribution: Antonín Slejška commentedI try to install Drupal 8.0-alpha3. I get a few error messages "Warning: Invalid argument supplied for foreach() in /var/www/web437/html/antonin-journal/core/lib/Drupal/Core/Config/InstallStorage.php on line 138".
See: http://journal.slejska.de/
PHP configuration: http://journal.slejska.de/info.php
I use a shared hosting with limited possibilities to edit php.ini. So, I can not change settings for "open_basedir". Is there some solution?
Comment #19
mxhI think dropping support for open_basedir is not a solution. D8 will lose a lot of users then, because many hosting providers force open_basedir to be enabled. Furthermore, the default open_basedir value is NULL (http://php.net/manual/de/ini.core.php), that means it's not really set to 'off'. As in #17 mentioned, this setting has to be explicitly set to off in the .ini configuration file to get rid of the errors described here. Many users are gonna declare report this as a bug when they see these errors on the first installation screen on their 'fresh' environment.
Comment #20
kingfisher64 CreditAttribution: kingfisher64 commentedGiven comments about users who don't have access to php.ini to disable open_basedir not being able to install drupal 8 this is most definitely a critical error. If users can't install the system, it doesn't get anymore problematic than that.
Comment #21
catchI'd be fine with an explicit hook_requirement() for the installer so it's clear that we don't support it at the moment - that would hopefully help to stop some of the confusion about what the bug is. We could then open a separate issue to add support back and/or look at exactly how much of an issue this is with shared hosting providers.
Comment #22
patrickd CreditAttribution: patrickd commentedAFAIK a hook_requirement() won't help here, when you have the option enabled you won't be able to reach the installation.
The requirement check has to happen earlier (core/install.php)
Comment #23
catchYes sorry installer requirement rather than hook_requirements().
Comment #24
mxh#21 sounds good for me, giving users of the current d8 build the info that they need to disable it and the developers the time to discuss about / fix the open_basedir issue.
Comment #25
catchOpened #2110863: Support open_basedir.
Re-titling. This should be doable by a new contributor so adding tag.
Comment #26
johnmcc CreditAttribution: johnmcc commentedPatch as requested; feedback welcome :)
Comment #27
cpj CreditAttribution: cpj commentedAs far as I can tell, the patch works. But does anyone know why Drupal 8 doesn't support open_basedir ? Is this a deliberate decision for some reason ?
Symfony2 (the full framework) certainly does support it and is often installed to make use of open_basedir, with a minimal web root folder, and all the source & library files in the parent folder. I have at least a dozen Symfony2 sites built that way.
Comment #28
catch@cpj, see #2110863: Support open_basedir. It's not a deliberate decision, it was just broken at some point, but this issue has resulted in several confusing bug reports when people can't get past the installer when trying Drupal 8, so better to explicitly fail then add the support back later. #2 has an explanation of the actual bug here.
Comment #29
jibranwhite space.
Comment #30
johnmcc CreditAttribution: johnmcc commentedFixed whitespace at EOL.
Comment #31
catchI think this is fine, I won't commit this - could use a second opinion on the strategy. Reminder that #2110863: Support open_basedir is open to fix the bug, this is a stop gap to prevent confusing duplicate bug reports.
Comment #32
alexpottCommitted 1ce62e0 and pushed to 8.x. Thanks!
This approach seems reasonable stop gap.
Comment #34
valdir.marcos CreditAttribution: valdir.marcos commentedI am trying Drupal 8 alpha 7 on a shared hosting company (where I can not request open_basedir to be turned off) and the error still persists :
"Your PHP installation has open_basedir enabled. Drupal currently requires the open_basedir option to be turned off. See the --PHP manual-- for details of how to do this. This issue is currently --under discussion at drupal.org--."
http://www.php.net/manual/en/ini.core.php#ini.open-basedir
https://drupal.org/node/2110863
Comment #35
valdir.marcos CreditAttribution: valdir.marcos commentedComment #36
catchThat's the exact message you should get. See #2110863: Support open_basedir for removing it.
Comment #37
valdir.marcos CreditAttribution: valdir.marcos commentedGetting an error message is not a solution, make Drupal 8 install and the result site works is a solution, so I think this bug report should be kept opened until a solution is really found or built.
Comment #38
marcingy CreditAttribution: marcingy commented@valdir.marcos this issue was about adding a meaningful error message and making open_basedir formally unsupported. The issue Catch referred to where efforts are taking place to add support for open_basedir, so this issues is correctly closed as it fixes what it was attempting too.
Comment #39
valdir.marcos CreditAttribution: valdir.marcos commented@marcingy, thanks for the information.