Smarty Forum Index Smarty
WARNING: All discussion is moving to https://reddit.com/r/smarty, please go there! This forum will be closing soon.

clearCompiledTemplate pointing at /!

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs
View previous topic :: View next topic  
Author Message
Synchro
Smarty Regular


Joined: 27 Apr 2008
Posts: 43

PostPosted: Mon Jan 19, 2015 3:28 am    Post subject: clearCompiledTemplate pointing at /! Reply with quote

I'm running 3.1.19, and I just ran into a case where clearCompiledTemplates ends up pointing at '/' as the compiled template path, and thus tries to delete everything!

For some reason, this line in sysplugins/smarty_internal_utility.php:

Code:
        $_compile_dir = realpath($smarty->getCompileDir()) . '/';

Results in an empty string coming from getCompileDir, even though my Smarty subclass sets it like this:

Code:
   $this->setCompileDir(__DIR__.'/templates_c');

I can't see how that could ever result in an empty string! As a safety measure I've added this sanity-check code after $_compile_dir is set:

Code:
        if ($_compile_dir == '/') { //We should never want to delete this!
            return 0;
        }

Obviously it would be much better to figure out why this is happening in the first place, but at least this list the potential for destruction.

I'm running PHP 5.4, so __DIR__ is defined, and the docs say it will not have a trailing separator.

I saw this report too: http://www.smarty.net/forums/viewtopic.php?t=24867 so I gather there have been some changes in this area fairly recently.
Code:


Can you think of anything that might make this happen?
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Tue Jan 20, 2015 2:24 am    Post subject: Reply with quote

See the following note at http://php.net/manual/en/function.realpath.php

Quote:
Note:
The running script must have executable permissions on all directories in the hierarchy, otherwise realpath() will return FALSE.


I think that getCompiledDir() does return the right value, but realpath does return false because of missing permissions.

Could you check if above was causing the problem?

Do you get errors if you run $smarty->testInstall() after configuring the directories?
Back to top
View user's profile Send private message
Synchro
Smarty Regular


Joined: 27 Apr 2008
Posts: 43

PostPosted: Tue Jan 20, 2015 12:07 pm    Post subject: Reply with quote

I didn't know about testInstall - thanks for that tip.

It was indeed that getCompileDir was returning the correct value, but realPath was making it fail. The reason it failed is that I'm using various compile IDs and it was not creating folders for them in templates_c, even though it had permission, so it was failing to find it at all, not just failing on permissions. I'm not sure why this was happening because some other compile ID folders have been created automatically in the past. After I created the folders within templates_c manually, it worked correctly.

Still - having it fail this way and try to delete / should be avoided!

The code I added seems a reasonable solution since if it doesn't have permission then it couldn't delete the files anyway, and if the folder doesn't exist then there's nothing to delete - in either case returning 0 is understandable.
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Tue Jan 20, 2015 4:05 pm    Post subject: Reply with quote

Compile ID's could not be the problem.
Compile ID's do normally create subfolders automatically under the compile_dir (./template_c) folder.
The error occured on the template_c folder level and not at the subfolder created by the compile_id's.
If compile_id's did not automatically create subfolders it looks again like permission problems.

Anyway we will change the code not to delete everything.
Back to top
View user's profile Send private message
Synchro
Smarty Regular


Joined: 27 Apr 2008
Posts: 43

PostPosted: Tue Jan 20, 2015 4:21 pm    Post subject: Reply with quote

OK, thanks.
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Tue Jan 20, 2015 9:47 pm    Post subject: Reply with quote

The fix to prevent unintended deletion on permission errors is now on Github.

You can download the current status of the upcomming version 3.1.22 from https://github.com/smarty-php/smarty
Back to top
View user's profile Send private message
Aristophan
Smarty Regular


Joined: 10 Jan 2011
Posts: 96

PostPosted: Wed Jan 21, 2015 10:47 am    Post subject: Reply with quote

Quote:
The fix to prevent unintended deletion on permission errors is now on Github.

Uwe, this is backportable, easily, isn't it?
Back to top
View user's profile Send private message
Synchro
Smarty Regular


Joined: 27 Apr 2008
Posts: 43

PostPosted: Wed Jan 21, 2015 11:03 am    Post subject: Reply with quote

I see that the patch you did checks the value returned by realpath. The only problem with that is that if compiledir is set to / for any reason, it may possibly pass this test and still allow the deletion attempt. This is why I checked the resulting path rather than the response from realpath. I think it should act like 'rm' does in linux - it refuses to work if you try to delete / (unless you specify --no-preserve-root).
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Wed Jan 21, 2015 9:22 pm    Post subject: Reply with quote

Agreed.

Same sort of patch was also needed also in smarty_internal_cacheresource_file.php.

It's on Github now.

I will later try to get rid of realpath().

Same patch should work also on earlier versions.
Back to top
View user's profile Send private message
Synchro
Smarty Regular


Joined: 27 Apr 2008
Posts: 43

PostPosted: Thu Apr 23, 2015 7:48 pm    Post subject: Still happening Reply with quote

Eek! I've just run into the same problem in 3.1.21 loaded from composer. I had assumed that this had been fixed so I dropped my patched version in favour of that. I see that the results of the realpath call are still not checked. This time it's slightly different in that the thing that stopped it was missing permissions on /root! Of course it should not have been going anywhere near that.

This bug is absolutely lethal - it has destroyed several server installations I work with. Please could you improve the checking around compile dir to prevent this from happening.
Back to top
View user's profile Send private message
Synchro
Smarty Regular


Joined: 27 Apr 2008
Posts: 43

PostPosted: Thu Apr 23, 2015 8:05 pm    Post subject: Reply with quote

Ah - I see my patch is in github, but seems not to have been released. Any chance you could make a release? Alternatively, how stable do you consider dev-master?
Back to top
View user's profile Send private message
Synchro
Smarty Regular


Joined: 27 Apr 2008
Posts: 43

PostPosted: Thu Apr 23, 2015 8:41 pm    Post subject: Reply with quote

I was just trying to use dev from composer. The docs say to use this:

"smarty/smarty": "~3.1@dev"

however, that doesn't appear to match anything different, and it resolves to the 3.1.21 release.

I changed it to the '3.1.x-dev' alias (as mentioned in composer.json) and it does pull dev-master.
Back to top
View user's profile Send private message
U.Tews
Administrator


Joined: 22 Nov 2006
Posts: 5068
Location: Hamburg / Germany

PostPosted: Thu Apr 23, 2015 10:14 pm    Post subject: Reply with quote

Synchro wrote:
I was just trying to use dev from composer. The docs say to use this:

"smarty/smarty": "~3.1@dev"

however, that doesn't appear to match anything different, and it resolves to the 3.1.21 release.

I changed it to the '3.1.x-dev' alias (as mentioned in composer.json) and it does pull dev-master.


"smarty/smarty": "~3.1@dev" does work at my place.
Maybe you use some other composer settings causing it to switch to the latest stable version
Back to top
View user's profile Send private message
Synchro
Smarty Regular


Joined: 27 Apr 2008
Posts: 43

PostPosted: Fri Apr 24, 2015 7:45 am    Post subject: Reply with quote

I figured out what was causing it. I needed to set:

"minimum-stability": "stable",
"prefer-stable": false,
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Smarty Forum Index -> Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP