Sunday, March 13, 2022

[FIXED] how to debug cakephp 3.5 cache basedir issue?

      , , ,      No comments   

Issue

I have an app in cakephp 3 which started to report open_basedir restriction in effect. File(/) is not within the allowed path(s) a few weeks ago. I tried to debug it but I wasn't successful in finding the reason why. The app worked okay for like 2.5 years and it just started to appear now but without any changes of code parts which use caching or changing config. In config I have "path" set correctly for every cache mode. And it also is not from consistent url/method. It appears randomly in like less than 1% of calls now. It was more often the first week or so. Is there any way how to debug this and find the reason? Do you know any possible reason for this behavior? I have tried everything I could think of but without success.

Example of config:

'hour' => [
            'className' => 'File',
            'path' => CACHE,
            'serialize' => true,
            'duration' => '+1 hour',
            'url' => env('CACHE_DEFAULT_URL', null),
        ],

debug trace of one example:

Cake\Error\BaseErrorHandler::handleError() - CORE/src/Error/BaseErrorHandler.php, line 153
is_dir - [internal], line ??
Cake\Cache\Engine\FileEngine::_clearDirectory() - CORE/src/Cache/Engine/FileEngine.php, line 303
Cake\Cache\Engine\FileEngine::clear() - CORE/src/Cache/Engine/FileEngine.php, line 284
Cake\Cache\Engine\FileEngine::gc() - CORE/src/Cache/Engine/FileEngine.php, line 116
Cake\Cache\CacheRegistry::_create() - CORE/src/Cache/CacheRegistry.php, line 98
Cake\Core\ObjectRegistry::load() - CORE/src/Core/ObjectRegistry.php, line 96
DebugKit\Cache\Engine\DebugEngine::init() - ROOT/vendor/cakephp/debug_kit/src/Cache/Engine/DebugEngine.php, line 79
Cake\Cache\CacheRegistry::_create() - CORE/src/Cache/CacheRegistry.php, line 90
Cake\Core\ObjectRegistry::load() - CORE/src/Core/ObjectRegistry.php, line 96
Cake\Cache\Cache::_buildEngine() - CORE/src/Cache/Cache.php, line 170
Cake\Cache\Cache::engine() - CORE/src/Cache/Cache.php, line 228
Cake\Cache\Cache::read() - CORE/src/Cache/Cache.php, line 356
App\Controller\AppController::beforeRender() - APP/Controller/AppController.php, line 169
Cake\Event\EventManager::_callListener() - CORE/src/Event/EventManager.php, line 416
Cake\Event\EventManager::dispatch() - CORE/src/Event/EventManager.php, line 393
Cake\Controller\Controller::dispatchEvent() - CORE/src/Event/EventDispatcherTrait.php, line 110
Cake\Controller\Controller::render() - CORE/src/Controller/Controller.php, line 610
Cake\Http\ActionDispatcher::_invoke() - CORE/src/Http/ActionDispatcher.php, line 125
Cake\Http\ActionDispatcher::dispatch() - CORE/src/Http/ActionDispatcher.php, line 93
Cake\Http\BaseApplication::__invoke() - CORE/src/Http/BaseApplication.php, line 108
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
Cake\Http\Middleware\EncryptedCookieMiddleware::__invoke() - CORE/src/Http/Middleware/EncryptedCookieMiddleware.php, line 89
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
Cake\Http\Middleware\CsrfProtectionMiddleware::__invoke() - CORE/src/Http/Middleware/CsrfProtectionMiddleware.php, line 106
App\Application::App\{closure}() - APP/Application.php, line 93
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
Cake\Http\Middleware\SecurityHeadersMiddleware::__invoke() - CORE/src/Http/Middleware/SecurityHeadersMiddleware.php, line 176
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
Cake\Routing\Middleware\RoutingMiddleware::__invoke() - CORE/src/Routing/Middleware/RoutingMiddleware.php, line 104
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
Cake\Routing\Middleware\AssetMiddleware::__invoke() - CORE/src/Routing/Middleware/AssetMiddleware.php, line 88
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
Cake\Error\Middleware\ErrorHandlerMiddleware::__invoke() - CORE/src/Error/Middleware/ErrorHandlerMiddleware.php, line 98
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
Cake\Http\Middleware\EncryptedCookieMiddleware::__invoke() - CORE/src/Http/Middleware/EncryptedCookieMiddleware.php, line 89
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
DebugKit\Middleware\DebugKitMiddleware::__invoke() - ROOT/vendor/cakephp/debug_kit/src/Middleware/DebugKitMiddleware.php, line 52
Cake\Http\Runner::__invoke() - CORE/src/Http/Runner.php, line 65
Cake\Http\Runner::run() - CORE/src/Http/Runner.php, line 51
Cake\Http\Server::run() - CORE/src/Http/Server.php, line 81
[main] - ROOT/webroot/index.php, line 40

I would be grateful for any hint.


Solution

Thanks to @ndm I was able to find the reason of this behavior and a solution. It happens cause of traffic with certain conditions - Multiple requests put the file in delete queue and after the first request deletes the file others fail - getRealPath() returns false which is then appended with / so the result path is /.

Worst case scenario if no basedir restriction in place (quoted @ndm): all files that the webserver user has permission to delete in / (which usually should be none) would be deleted

Solution 1 (recommended): Update your Cake app with patch 3.9.7 or 4.2.4

Solution 2: Manually fix the code to check that getRealPath() does not return false



Answered By - Vojtěch Šalda

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...