search

laravel / horizon

Dashboard and code-driven configuration for Laravel queues.
https://laravel.com/docs/horizon
MIT License
3.82k stars 636 forks source link

open_basedir restricting horizon dashboard load page #1439

Closed sca1235 closed 2 months ago

sca1235 commented 2 months ago

Horizon Version

5.24.3

Laravel Version

10.48.10

PHP Version

8.2.18

Redis Driver

PhpRedis

Redis Version

6.0

Database Driver & Version

Mysql 8.0

Description

This recent update broke access to the dashboard when using open_basedir ini values.

Seems trying to access a nonexistent file in the root of server. For security purposes we don't allow php access outside of project.

Steps To Reproduce

  1. set open_basedir to /var/www:/tmp in php.ini or whatever paths your laravel project in
    1. Go to /horizon/dashboard

it seems to be loading in root of server /vendor path


[previous exception] [object] (ErrorException(code: 0): is_file(): open_basedir restriction in effect. File(/vendor/horizon/nonExistentFile) is not within the allowed path(s): (/var/www:/tmp) at /var/www/laravel/vendor/laravel/framework/src/Illuminate/Foundation/Vite.php:794)
[stacktrace]
#0 /var/www/laravel/vendor/laravel/framework/src/Illuminate/Foundation/Bootstrap/HandleExceptions.php(255): Illuminate\\Foundation\\Bootstrap\\HandleExceptions->handleError(2, 'is_file(): open...', '/var/www/larave...', 794)
#1 [internal function]: Illuminate\\Foundation\\Bootstrap\\HandleExceptions->Illuminate\\Foundation\\Bootstrap\\{closure}(2, 'is_file(): open...', '/var/www/accoun...', 794)
#2 /var/www/laravel/vendor/laravel/framework/src/Illuminate/Foundation/Vite.php(794): is_file('/vendor/horizon...')
#3 /var/www/laravel/vendor/laravel/framework/src/Illuminate/Foundation/Vite.php(669): Illuminate\\Foundation\\Vite->isRunningHot()

It should try to load /var/www/laravel/vendor/horizon/nonExistentFile not /vendor/horizon/nonExistentFile

jonathan-bird commented 2 months ago

+1 on this. It's a poor implementation.

francoism90 commented 2 months ago

Any workarounds?

edit:

$nonExistentFileName = '/vendor/horizon/nonExistentFile';

Should be:

$nonExistentFileName = 'vendor/horizon/nonExistentFile';
jonathan-bird commented 2 months ago

You can add fake path to base dir, until they fix it, or yes publish the vendor layout file and change the path, maybe wrap in base path method so it's properly routed.

driesvints commented 2 months ago

This is now fixed in v5.24.4