php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79083 7.4.1 does not follow symlinks outside of documentroot while 7.4.0 does
Submitted: 2020-01-08 18:08 UTC Modified: 2020-02-27 14:11 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: calimeroteknik at free dot fr Assigned:
Status: Not a bug Package: FPM related
PHP Version: 7.4.1 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
38 + 25 = ?
Subscribe to this entry?

 
 [2020-01-08 18:08 UTC] calimeroteknik at free dot fr
Description:
------------
When I have a symbolic link in the path to a PHP file (could be a parent directory), which points outside of the DocumentRoot (apparently, this is what triggers the behavior) :

- with php-fpm 7.4.0 it works, the file renders.
- with php-fpm 7.4.1 I get the message "File not found." as the HTTP response, and "Primary script unknown" in the webserver's error log.

open_basedir was unset in this test.
Setting it to "/my/document/root:/path/to/symlink/destination" does not seem to change the results.

This was tested using php-fpm with apache 2.4.41 (event MPM) with no change in both cases.

Test script:
---------------
<?php phpinfo();


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-16 08:55 UTC] sjon@php.net
-Status: Open +Status: Feedback
 [2020-01-16 08:55 UTC] sjon@php.net
fpm has no notion of a "DocumentRoot" - it gets passed the absolute path from the webserver. It is therefore very likely your webserver resolves the symlink, not fpm.

You can verify this by enabling the fpm access.log and make sure it includes %f (the absolute script path). If this indicates an issue in PHP itself, please update this bug with relevant information
 [2020-01-21 17:59 UTC] calimeroteknik at free dot fr
Here is my test setup:
-rw-r--r-- /srv/http/phpinfo.php
lrwxrwxrwx /srv/http/symlink.php -> phpinfo.php
-rw-r--r-- /tmp/phpinfo.php
lrwxrwxrwx /srv/http/symlink2.php -> /tmp/phpinfo.php

Here is what access.log produces for the corresponding FPM pool:
- -  21/Jan/2020:18:46:42 +0100 "GET /phpinfo.php" 200
- -  21/Jan/2020:18:46:48 +0100 "GET /symlink.php" 200
- -  21/Jan/2020:18:52:20 +0100 "GET /symlink2.php" 404

Clearly, the webserver does not resolve the symlink, and php-fpm chooses to do so only when the target is within the document root, which is known to php-fpm since we see in the log that it has the query string.
 [2020-01-21 18:07 UTC] calimeroteknik at free dot fr
Oh wait. I misunderstood. Adding %f to the log format, here are the results:

access.format = "%R - %u %t \"%m %r\" %s \"%f\""

The log:
- -  21/Jan/2020:19:06:17 +0100 "GET /phpinfo.php" 200 "/srv/http/phpinfo.php"
- -  21/Jan/2020:19:06:29 +0100 "GET /symlink.php" 200 "/srv/http/symlink.php"
- -  21/Jan/2020:19:06:23 +0100 "GET /symlink2.php" 404 "-"

The webserver does not resolve the symlink, but we get "-" logged for %f.
 [2020-01-26 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2020-01-26 04:30 UTC] requinix@php.net
-Status: No Feedback +Status: Open
 [2020-01-27 14:08 UTC] calimeroteknik at free dot fr
From the very beginning I wasn't sure if this was a bug: it might have been intended, although the changelog doesn't mention it.

As far as I'm concerned, it's inconvenient to be unable to have symlinks that point outside of the documentroot, and this came specifically from a PHP update.

I have no idea how to interpret the "-" for the "%f" field of php-fpm's access.log: at what point did the path become that dash and why?
 [2020-02-20 10:04 UTC] jkal at posteo dot eu
is it caused by the systemd service that runs php-fpm? around the time of that version change, the following option was added to the service definition on arch linux:
~~~
# The directories /home, /root and /run/user are made inaccessible and empty for processes
# invoked by this unit.
ProtectHome=true
~~~
there is a similar option for the /tmp directory "PrivateTmp=true".
i experienced the behaviour explained in this bugreport, while my symlink pointed into /home.
 [2020-02-27 12:16 UTC] calimeroteknik at free dot fr
-Status: Open +Status: Closed
 [2020-02-27 12:16 UTC] calimeroteknik at free dot fr
Yes indeed, this surprise-behaviour was coming from the systemd unit file.

So in the end it's much the same as this:
http://stackoverflow.com/questions/1038170/mysql-select-into-outfile-tmp-no-output
 [2020-02-27 14:11 UTC] cmb@php.net
-Status: Closed +Status: Not a bug
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Aug 09 10:01:24 2020 UTC