Page MenuHomePhabricator

external PHP can't be started - open_basedir not checked
Closed, ResolvedPublic

Description

Probably since https://gerrit.wikimedia.org/r/#/c/59797/ job handling starts an external php process by default.

This fails if open_basedir does not contain /usr/bin/

There should be a check for the open_basedir, and an automatic fallback to the internal job queue.


Version: 1.22.1
Severity: major
See Also:
https://bugzilla.wikimedia.org/show_bug.cgi?id=58719
https://bugzilla.wikimedia.org/show_bug.cgi?id=62092

Details

Reference
bz60208

Event Timeline

bzimport raised the priority of this task from to Medium.Nov 22 2014, 3:05 AM
bzimport set Reference to bz60208.
bzimport added a subscriber: Unknown Object (MLST).

I agree. Note that the open_basedir check should not be done against /usr/bin/, but against the actual value of $wgPhpCli (which defaults to /usr/bin/, but also might be different).

In master this already checks is_executable(), which should handle open_basedir.

Maybe, but it still logs a warning every time it looks for the PHP binary :-(

From my error_log: (domains replaced with domain.de/otherdomain.de)

[error] [client IP_HIDDEN] PHP Warning: is_executable(): open_basedir restriction in effect. File(/usr/bin/php) is not within the allowed path(s): (/home/www/domain.de/:/home/www/all:/home/www/otherdomain.de/httpdocs/wiki/images/) in /home/www/domain.de/httpdocs/wiki/includes/Wiki.php on line 652, referer: http://www.domain.de/Wikipage

Change 113038 merged by jenkins-bot:
Moved job running via $wgJobRunRate to a special API

https://gerrit.wikimedia.org/r/113038