[MDL-43137] class loader breaks open_basedir - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.6
Fix Version/s: 2.6.1, 2.7
Component/s: Libraries
Labels:
- triaged

Affected Branches:
MOODLE_26_STABLE
Fixed Branches:
MOODLE_26_STABLE, MOODLE_27_STABLE
Pull from Repository:
https://github.com/skodak/moodle.git
Pull Master Branch:
w50_~~MDL-43137~~_m27_openbasedir
Pull Master Diff URL:
https://github.com/skodak/moodle/compare/master...w50_MDL-43137_m27_openbasedir
Workaround:

Hide

do not use open_basedir

Show
do not use open_basedir
Testing Instructions:

Hide

1/ enable open_basedir - such as adding this to your config.php:
ini_set('open_basedir', _DIR_.':'.$CFG->dataroot.':'.$CFG->behat_dataroot.':'.$CFG->phpunit_dataroot);
2/ try installation with existing config.php (==change db prefix) and upgrade from 2.5
3/ check error log - there should not be any open_basedir related problems

Show
1/ enable open_basedir - such as adding this to your config.php: ini_set('open_basedir', _ DIR _.':'.$CFG->dataroot.':'.$CFG->behat_dataroot.':'.$CFG->phpunit_dataroot); 2/ try installation with existing config.php (==change db prefix) and upgrade from 2.5 3/ check error log - there should not be any open_basedir related problems

Story Points:
2
Sprint:
BACKEND Sprint 7

Description

Looking at lib/classes/component.php the function load_classes() makes a quick check that the $fulldir parameter is valid by calling is_dir($fulldir). Unfortunately, this breaks if open_basedir is enabled as it is checking paths like /classes which will trigger the open_basedir restriction and cause Moodle to fail.

Would it not be better to do a comparison with $CFG->dirroot to see if $fulldir looks like a valid, absolute path?

More details in https://moodle.org/mod/forum/discuss.php?d=244818.

Attachments

Activity

People

Assignee:: Petr Skoda

Reporter:: Howard Miller

Peer reviewer:: Dan Poltawski

Integrator:: Marina Glancy

Tester:: Adrian Greeve

Participants:: Adrian Greeve, Dan Poltawski, Howard Miller, Jeffrey Smith, Marina Glancy, Matteo Scaramuccia, Petr Skoda, Sam Hemelryk, Sam T

Component watchers:: David Woloszyn, Huong Nguyen, Jake Dallimore, Meirza, Michael Hawkins, Raquel Ortega, Safat Shahin, Stevani Andolo

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 29/Nov/13 11:22 PM

Updated:: 30/Nov/15 7:39 AM

Resolved:: 13/Dec/13 1:47 PM

Fix Release Date:: 13/Jan/14