-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Snuffleupagus writable execution of eval'd code ? #409
Comments
Can you please:
|
Hi,
|
HI, I wonder if you had any time to check this ? Thanks ) |
I still have to coordinate with @bef, so this one is still on the backburner for now, sorry :/ |
This definitely sounds like a bug. Unfortunately I failed to reproduce the error. I suspect some kind of construct like In the meantime, have you tried the latest head from 2022? Maybe the bug magically disappeared? On a more general note, having a template system like Twig writing some kind of cache file and then reading the cache file for execution at a later stage is exactly what readonly_exec is trying to prevent in the first place, so even after fixing the bug, Twig most likely won't be running with readonly_exec enabled. Maybe we introduce whitelisted directories, which may be dangerous if configured incorrectly. What do you think @jvoisin ? |
After some testing I failed to recreate the problem using the current master/head version. |
Hi,
i notice that after enabling readonly_exec() i get these kind of errors:
Mar 22 12:48:20 xxx snuffleupagus[3179578]: [snuffleupagus][0.0.0.0][Writable execution][log] Error while accessing /xxx/wp-content/plugins/sitepress-multilingual-cms/lib/twig/src/Environment.php(442) : eval()'d code: No such file or directory in /xxx/wp-content/plugins/sitepress-multilingual-cms/lib/twig/src/Environment.php(442) : eval()'d code on line 29
What is Snuffleupagus doing here ? In the Enviroment.php it seems like the plugin is building a sort of template that is then executed with eval(). How can I solve this issue without giving up on readonly_exec() ?
thanks !
The text was updated successfully, but these errors were encountered: