New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid template files for every vendor templates #8368
Comments
I found the same bug but in a different scenario. |
Hi, @lumiru. Internal ticket MAGETWO-71178, which tracks this GitHub issue, is in our issue backlog. |
@lumiru, thank you for your report. |
At first sight it looks like there is nothing to fix here. No files must be accessed outside of Magento base path and this behavior is intentional. Otherwise in case of a mistake in some module code it would be possible to read sensitive system files.
Read a path starting from slash is never a good idea. Is there any use case not covered by https://magento.stackexchange.com/a/95095 answer? |
I also encountered this issue while trying to move the vendor dir to a path outside Magento's root (/app-vendor specifically) in my Docker container. I understand the security reason for this restriction, but should we maybe allow it to have access to templates inside the vendor dir? |
There are a number of reasons for moving the vendor directory outside of the Magento Root. It's worth seeing if the can be specified as an option, just like the directories specified in the $_SERVER variables: e.g.: In testing environments, it's quite easy to setup a shared codebase, with multiple databases (just change the $_SERVER["MAGE_DIRS"]['etc']["path"] for debugging different db configuration variables). But using that causes a lot of issues with media writing (it relys on the BP to be unaltered). We've found it troublesome to try and run that without modification, and we run into vendor validation issues the moment we change the base path outside of where the vendor directory is. |
Current behavior is intentional and it should not be changed, there were a bunch of such reports before, for example, #15252 (comment). |
Preconditions
Steps to reproduce
ln -s /srv/magento/vendor /var/www/vendor
).Expected result
Actual result
What has happened?
When I debug this issue, I found
$this->isPathInDirectories($filename, $this->moduleDirs)
returns true but$this->getRootDirectory()->isFile($this->getRootDirectory()->getRelativePath($filename))
returns false inMagento\Framework\View\Element\Template\File\Validator::isValid
, whether the file exists or not.When I go deeper, I see
return $this->driver->isFile($this->driver->getAbsolutePath($this->path, $path));
inMagento\Framework\Filesystem\Directory\Read::isFile($path)
. So the complete parameter forMagento\Framework\Filesystem\Driver\File:isFile
isFile::getAbsolutePath('/var/www', File::getRelativePath('/var/www/', '/srv/magento/vendor/magento/module-backend/view/adminhtml/templates/admin/login.phtml'));
.Why not. The issue comes from
File::getAbsolutePath
. Its behaviour is the same if the $path parameter is leaded by a/
or not:However, we cannot easily change this behaviour because it creates new side effects (because some modules uses this feature).
Another way to fix this issue is to modify the
File::getRelativePath
function. Indeed, this function does not returns a relative path if target $path is not leaded by $basePath:The simplest way to fix it is to add as double dots at start as necessary. For example:
But I encourage you to prefer a complete implementation of getRelativePath: http://stackoverflow.com/questions/2637945/getting-relative-path-from-absolute-path-in-php
The text was updated successfully, but these errors were encountered: