Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[11.x] Fix PHP_MAXPATHLEN check for existing check of files for views #50962

Merged
merged 3 commits into from
Apr 9, 2024

Conversation

joshuaruesweg
Copy link
Contributor

@joshuaruesweg joshuaruesweg commented Apr 8, 2024

Laravel can throw an error File name is longer than the maximum allowed path length on this platform, If a string is passed to the function Blade::render, which is the same length or slightly shorter than \PHP_MAXPATHLEN [1]. This happens due to an invalid check for the filename, because the filename gets an prefix (full path) and suffix (e.g. .blade.php) before the existence is checked. This leads to a filename, which is greater than \PHP_MAXPATHLEN which results in a PHP warning.

Thus PHP warning is only thrown, if open_basedir [2] is configured [3].

[1] https://www.php.net/manual/en/reserved.constants.php#constant.php-maxpathlen
[2] https://www.php.net/manual/en/ini.core.php#ini.open-basedir
[3] https://github.com/php/php-src/blob/7c860628cd2bf11ee867bfb41b3fd0314c5177c5/main/fopen_wrappers.c#L302

@joshuaruesweg joshuaruesweg marked this pull request as draft April 8, 2024 13:15
@joshuaruesweg joshuaruesweg force-pushed the fix_php_maxpathlen_views branch 5 times, most recently from 7fa41d6 to cfaa329 Compare April 8, 2024 16:05
A PHP warning can occur if the filename is a little less than (or equal to) \PHP_MAXPATHLEN [1] AND open_basedir [2] is configured (otherwise PHP will not throw this error [3]). By searching for the filename and appending a suffix (and also using the absolute path), we may exceed the limit. If the limit is exceeded, PHP throws a warning message [4] and Laravel aborts the execution of the code.

[1] https://www.php.net/manual/en/reserved.constants.php#constant.php-maxpathlen
[2] https://www.php.net/manual/en/ini.core.php#ini.open-basedir
[3] https://github.com/php/php-src/blob/7c860628cd2bf11ee867bfb41b3fd0314c5177c5/main/fopen_wrappers.c#L302
[4] File name is longer than the maximum allowed path length on this platform
A PHP warning can occur if the filename is a little less than (or equal to) \PHP_MAXPATHLEN [1] AND open_basedir [2] is configured (otherwise PHP will not throw this error [3]). By searching for the filename and appending a suffix (and also using the absolute path), we may exceed the limit. If the limit is exceeded, PHP throws a warning message [4] and Laravel aborts the execution of the code.

[1] https://www.php.net/manual/en/reserved.constants.php#constant.php-maxpathlen
[2] https://www.php.net/manual/en/ini.core.php#ini.open-basedir
[3] https://github.com/php/php-src/blob/7c860628cd2bf11ee867bfb41b3fd0314c5177c5/main/fopen_wrappers.c#L302
[4] File name is longer than the maximum allowed path length on this platform
@joshuaruesweg joshuaruesweg force-pushed the fix_php_maxpathlen_views branch from cfaa329 to 50b8885 Compare April 8, 2024 16:13
@joshuaruesweg joshuaruesweg marked this pull request as ready for review April 8, 2024 16:14
@taylorotwell taylorotwell merged commit f36f194 into laravel:11.x Apr 9, 2024
28 checks passed
@joshuaruesweg joshuaruesweg deleted the fix_php_maxpathlen_views branch April 9, 2024 14:33
joshuaruesweg added a commit to joshuaruesweg/framework that referenced this pull request Jun 20, 2024
The previous test was wrong. In fact, `PHP_MAXPATHLEN` is not the maximum length of a file, but `PHP_MAXPATHLEN - 1`. This is checked internally in the PHP source code and if the file is PHP_MAXPATHLEN characters long or longer, the error is thrown in Open-Base-Dir [1].

The problem was incompletely fixed here: laravel#50962

[1] https://github.com/php/php-src/blob/7c860628cd2bf11ee867bfb41b3fd0314c5177c5/main/fopen_wrappers.c#L301
taylorotwell pushed a commit that referenced this pull request Jun 20, 2024
…_MAXPATHLEN (#51850)

* Fix `PHP_MAXPATHLEN` test

This test was incorrect because it does not take into account the paths that are prefixed in the FileViewFinder. This means that we have so far tested a path that is significantly longer than `PHP_MAXPATHLEN`. As we cannot reliably access the path, we approach `PHP_MAXPATHLEN` and test all file names from `PHP_MAXPATHLEN - 200` to `PHP_MAXPATHLEN + 1`.

* Fix `PHP_MAXPATHLEN` check

The previous test was wrong. In fact, `PHP_MAXPATHLEN` is not the maximum length of a file, but `PHP_MAXPATHLEN - 1`. This is checked internally in the PHP source code and if the file is PHP_MAXPATHLEN characters long or longer, the error is thrown in Open-Base-Dir [1].

The problem was incompletely fixed here: #50962

[1] https://github.com/php/php-src/blob/7c860628cd2bf11ee867bfb41b3fd0314c5177c5/main/fopen_wrappers.c#L301
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants