search

nextcloud / server

☁️ Nextcloud server, a safe home for all your data
https://nextcloud.com
GNU Affero General Public License v3.0
27.46k stars 4.08k forks source link

The `findBinaryPath()` in `OC_Helper` tries to access paths outside of `open_basedir` #26844

Closed christian-eriksson closed 3 years ago

christian-eriksson commented 3 years ago

How to use GitHub

Steps to reproduce

  1. in your php.ini file set the open_basedir directive. Something like 
    open_basedir = /var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient:<path-to-nextcloud-data>

    seems reasonable for nextcloud.

  2. restart the PHP FastCGI process manager 
    systemctl restart php-fpm
  3. wait until, for example, PreviewManager.php runs (I'm not totally sure when this is but it seems to be about every 10-15min), I'm not sure if there needs to be new uploads or something similar either.
  4. you should see some errors (see below) either in the admin view or in the nexcloud.log regarding open_basedir resriction in effect.

Expected behaviour

There shouldn't be any errors in the log indicating that nextcloud tries to access paths outside of open_basedir, especially if it actually got a hold on the binary it was looking for. It would be nice if it didn't try to access anything outside open_basedir at all (if set), but it should at least not be showing it in the log, since it clogs up the logs and is potentially confusing end users and might be hiding actuall errors (like if it couldn't find the binanry).

(there is no "real" error as Nextcloud finds the sought file as long as it's within the file trees allowed in the open_basedir and can continue execution as far as I understand.)

Actual behaviour

Instead we see a bunch of logs lilke:

{
  "reqId": "7jkFEzhubXsyTBw2Fk4T",
  "level": 3,
  "time": "2021-04-30T18:48:36+00:00",
  "remoteAddr": "192.168.11.1",
  "user": "username",
  "app": "PHP",
  "method": "PROPFIND",
  "url": "/some/file/path",
  "message": {
    "Exception": "Error",
    "Message": "is_dir(): open_basedir restriction in effect. File(/opt/bin) is not within the allowed path(s): (/var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient:<path-to-nextcloud-data>) at /var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php#62",
    "Code": 0,
    "Trace": [
      {
        "function": "onError",
        "class": "OC\\Log\\ErrorHandler",
        "type": "::"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php",
        "line": 62,
        "function": "is_dir"
      },
      {
        "file": "/var/www/nextcloud/lib/private/legacy/OC_Helper.php",
        "line": 479,
        "function": "find",
        "class": "Symfony\\Component\\Process\\ExecutableFinder",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/lib/private/PreviewManager.php",
        "line": 424,
        "function": "findBinaryPath",
        "class": "OC_Helper",
        "type": "::"
      },
      {
        "file": "/var/www/nextcloud/lib/private/PreviewManager.php",
        "line": 246,
        "function": "registerCoreProviders",
        "class": "OC\\PreviewManager",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php",
        "line": 361,
        "function": "isAvailable",
        "class": "OC\\PreviewManager",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/PropFind.php",
        "line": 95,
        "function": "OCA\\DAV\\Connector\\Sabre\\{closure}",
        "class": "OCA\\DAV\\Connector\\Sabre\\FilesPlugin",
        "type": "->",
        "args": [
          "*** sensitive parameters replaced ***"
        ]
      },
      {
        "file": "/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php",
        "line": 362,
        "function": "handle",
        "class": "Sabre\\DAV\\PropFind",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
        "line": 89,
        "function": "handleGetProperties",
        "class": "OCA\\DAV\\Connector\\Sabre\\FilesPlugin",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 1052,
        "function": "emit",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 984,
        "function": "getPropertiesByNode",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 1661,
        "function": "getPropertiesIteratorForPath",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 1646,
        "function": "writeMultiStatus",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php",
        "line": 346,
        "function": "generateMultiStatus",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php",
        "line": 89,
        "function": "httpPropFind",
        "class": "Sabre\\DAV\\CorePlugin",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 472,
        "function": "emit",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 253,
        "function": "invokeMethod",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php",
        "line": 321,
        "function": "start",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php",
        "line": 84,
        "function": "exec",
        "class": "Sabre\\DAV\\Server",
        "type": "->"
      },
      {
        "file": "/var/www/nextcloud/remote.php",
        "line": 167,
        "args": [
          "/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"
        ],
        "function": "require_once"
      }
    ],
    "File": "/var/www/nextcloud/lib/private/Log/ErrorHandler.php",
    "Line": 92,
    "CustomMessage": "--"
  },
  "userAgent": "Mozilla/5.0 (Android) Nextcloud-android/3.15.1",
  "version": "21.0.1.1",
  "id": "343h539865193"
}

The logs refer to these files it cannot find because they aren't in the allowed paths:

/usr/local/sbin
/usr/local/bin 
/usr/sbin
/usr/bin
/sbin
/bin
/opt/bin

apart from that the log entries are the same and repeats every time PreviewManager.php runs.

Server configuration

Operating system: Arch

Web server: nginx/1.20

Database: MariaDB 15.1

PHP version: 8.0.5

Nextcloud version: 21.0.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated from Nextcloud 20.x.x

Where did you install Nextcloud from:

Signing status:

Signing status No errors have been found.

List of activated apps:

App list Enabled: - accessibility: 1.7.0 - activity: 2.14.3 - cloud_federation_api: 1.4.0 - comments: 1.11.0 - contactsinteraction: 1.2.0 - dashboard: 7.1.0 - dav: 1.17.1 - federatedfilesharing: 1.11.0 - federation: 1.11.0 - files: 1.16.0 - files_pdfviewer: 2.1.0 - files_rightclick: 1.0.0 - files_sharing: 1.13.1 - files_trashbin: 1.11.0 - files_versions: 1.14.0 - files_videoplayer: 1.10.0 - firstrunwizard: 2.10.0 - logreader: 2.6.0 - lookup_server_connector: 1.9.0 - nextcloud_announcements: 1.10.0 - notifications: 2.9.0 - oauth2: 1.9.0 - password_policy: 1.11.0 - photos: 1.3.0 - privacy: 1.5.0 - provisioning_api: 1.11.0 - recommendations: 1.0.0 - richdocuments: 4.0.4 - serverinfo: 1.11.0 - settings: 1.3.0 - sharebymail: 1.11.0 - support: 1.4.0 - survey_client: 1.9.0 - systemtags: 1.11.0 - tasks: 0.13.6 - text: 3.2.0 - theming: 1.12.0 - twofactor_backupcodes: 1.10.0 - updatenotification: 1.11.0 - user_status: 1.1.1 - viewer: 1.5.0 - weather_status: 1.1.0 - workflowengine: 2.3.0 Disabled: - admin_audit - bruteforcesettings - encryption - files_antivirus - files_external - previewgenerator - user_ldap

Nextcloud configuration:

Config report ``` { "system": { "passwordsalt": "***REMOVED SENSITIVE VALUE***", "secret": "***REMOVED SENSITIVE VALUE***", "trusted_domains": [ "localhost", "*" ], "datadirectory": "***REMOVED SENSITIVE VALUE***", "hashingThreads": 4, "dbtype": "mysql", "version": "21.0.1.1", "memcache.local": "\\OC\\Memcache\\APCu", "memcache.distributed": "\\OC\\Memcache\\Redis", "filelocking.enabled": true, "memcache.locking": "\\OC\\Memcache\\Redis", "redis": { "host": "***REMOVED SENSITIVE VALUE***", "port": 0, "dbindex": 0, "timeout": 0 }, "overwrite.cli.url": "https:\/\/example.com", "dbname": "***REMOVED SENSITIVE VALUE***", "dbhost": "***REMOVED SENSITIVE VALUE***", "dbport": "", "dbtableprefix": "oc_", "mysql.utf8mb4": true, "dbuser": "***REMOVED SENSITIVE VALUE***", "dbpassword": "***REMOVED SENSITIVE VALUE***", "installed": true, "instanceid": "***REMOVED SENSITIVE VALUE***", "maintenance": false, "mail_smtpmode": "smtp", "mail_smtpsecure": "ssl", "mail_sendmailmode": "smtp", "mail_from_address": "***REMOVED SENSITIVE VALUE***", "mail_domain": "***REMOVED SENSITIVE VALUE***", "mail_smtpauth": 1, "mail_smtpport": "465", "mail_smtphost": "***REMOVED SENSITIVE VALUE***", "mail_smtpauthtype": "LOGIN", "mail_smtpname": "***REMOVED SENSITIVE VALUE***", "mail_smtppassword": "***REMOVED SENSITIVE VALUE***", "default_phone_region": "SE", "log_type": "file", "logfile": "\/var\/lib\/nextcloud\/nextcloud.log", "logfilemode": 416, "loglevel": 2, "preview_libreoffice_path": "\/usr\/bin\/libreoffice", "enable_previews": true, "enabledPreviewProviders": [ "OC\\Preview\\TXT", "OC\\Preview\\MarkDown", "OC\\Preview\\MSOffice2003", "OC\\Preview\\MSOffice2007", "OC\\Preview\\MSOfficeDoc", "OC\\Preview\\OpenDocument", "OC\\Preview\\StarOffice", "OC\\Preview\\PDF", "OC\\Preview\\Image", "OC\\Preview\\Photoshop", "OC\\Preview\\Illustrator", "OC\\Preview\\Postscript", "OC\\Preview\\TIFF", "OC\\Preview\\Font", "OC\\Preview\\MP3", "OC\\Preview\\Movie", "OC\\Preview\\MKV", "OC\\Preview\\MP4", "OC\\Preview\\AVI" ], "theme": "" } } ```

Are you using external storage, if yes which one: no

Are you using encryption: no

Are you using an external user-backend, if yes which one: no

Client configuration

Browser: Firefox 87

Operating system: Ubuntu 18.04

Mobile Client: Android App 3.15.1

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` {"reqId":"4kdvflfH2p7DoOTbSKh8","level":3,"time":"2021-04-30T19:05:58+00:00","remoteAddr":"192.168.11.1","user":"username","app":"PHP","method":"PROPFIND","url":"/path/to/some/file","message":{"Exception":"Error","Message":"is_dir(): open_basedir restriction in effect. File(/usr/local/sbin) is not within the allowed path(s): (/var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/mnt/data/nextcloud/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient) at /var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php#62","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php","line":62,"function":"is_dir"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Helper.php","line":479,"function":"find","class":"Symfony\\Component\\Process\\ExecutableFinder","type":"->"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":424,"function":"findBinaryPath","class":"OC_Helper","type":"::"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":246,"function":"registerCoreProviders","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":361,"function":"isAvailable","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/PropFind.php","line":95,"function":"OCA\\DAV\\Connector\\Sabre\\{closure}","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":362,"function":"handle","class":"Sabre\\DAV\\PropFind","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"handleGetProperties","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1052,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":984,"function":"getPropertiesByNode","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1661,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1646,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":84,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":167,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.15.1","version":"21.0.1.1"} {"reqId":"4kdvflfH2p7DoOTbSKh8","level":3,"time":"2021-04-30T19:05:58+00:00","remoteAddr":"192.168.11.1","user":"username","app":"PHP","method":"PROPFIND","url":"/path/to/some/file","message":{"Exception":"Error","Message":"is_dir(): open_basedir restriction in effect. File(/usr/local/bin) is not within the allowed path(s): (/var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/mnt/data/nextcloud/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient) at /var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php#62","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php","line":62,"function":"is_dir"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Helper.php","line":479,"function":"find","class":"Symfony\\Component\\Process\\ExecutableFinder","type":"->"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":424,"function":"findBinaryPath","class":"OC_Helper","type":"::"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":246,"function":"registerCoreProviders","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":361,"function":"isAvailable","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/PropFind.php","line":95,"function":"OCA\\DAV\\Connector\\Sabre\\{closure}","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":362,"function":"handle","class":"Sabre\\DAV\\PropFind","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"handleGetProperties","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1052,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":984,"function":"getPropertiesByNode","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1661,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1646,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":84,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":167,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.15.1","version":"21.0.1.1"} {"reqId":"4kdvflfH2p7DoOTbSKh8","level":3,"time":"2021-04-30T19:05:58+00:00","remoteAddr":"192.168.11.1","user":"username","app":"PHP","method":"PROPFIND","url":"/path/to/some/file","message":{"Exception":"Error","Message":"is_dir(): open_basedir restriction in effect. File(/usr/sbin) is not within the allowed path(s): (/var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/mnt/data/nextcloud/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient) at /var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php#62","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php","line":62,"function":"is_dir"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Helper.php","line":479,"function":"find","class":"Symfony\\Component\\Process\\ExecutableFinder","type":"->"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":424,"function":"findBinaryPath","class":"OC_Helper","type":"::"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":246,"function":"registerCoreProviders","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":361,"function":"isAvailable","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/PropFind.php","line":95,"function":"OCA\\DAV\\Connector\\Sabre\\{closure}","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":362,"function":"handle","class":"Sabre\\DAV\\PropFind","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"handleGetProperties","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1052,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":984,"function":"getPropertiesByNode","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1661,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1646,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":84,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":167,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.15.1","version":"21.0.1.1"} {"reqId":"4kdvflfH2p7DoOTbSKh8","level":3,"time":"2021-04-30T19:05:58+00:00","remoteAddr":"192.168.11.1","user":"username","app":"PHP","method":"PROPFIND","url":"/path/to/some/file","message":{"Exception":"Error","Message":"is_dir(): open_basedir restriction in effect. File(/usr/bin) is not within the allowed path(s): (/var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/mnt/data/nextcloud/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient) at /var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php#62","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php","line":62,"function":"is_dir"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Helper.php","line":479,"function":"find","class":"Symfony\\Component\\Process\\ExecutableFinder","type":"->"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":424,"function":"findBinaryPath","class":"OC_Helper","type":"::"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":246,"function":"registerCoreProviders","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":361,"function":"isAvailable","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/PropFind.php","line":95,"function":"OCA\\DAV\\Connector\\Sabre\\{closure}","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":362,"function":"handle","class":"Sabre\\DAV\\PropFind","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"handleGetProperties","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1052,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":984,"function":"getPropertiesByNode","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1661,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1646,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":84,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":167,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.15.1","version":"21.0.1.1"} {"reqId":"4kdvflfH2p7DoOTbSKh8","level":3,"time":"2021-04-30T19:05:58+00:00","remoteAddr":"192.168.11.1","user":"username","app":"PHP","method":"PROPFIND","url":"/path/to/some/file","message":{"Exception":"Error","Message":"is_dir(): open_basedir restriction in effect. File(/sbin) is not within the allowed path(s): (/var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/mnt/data/nextcloud/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient) at /var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php#62","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php","line":62,"function":"is_dir"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Helper.php","line":479,"function":"find","class":"Symfony\\Component\\Process\\ExecutableFinder","type":"->"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":424,"function":"findBinaryPath","class":"OC_Helper","type":"::"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":246,"function":"registerCoreProviders","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":361,"function":"isAvailable","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/PropFind.php","line":95,"function":"OCA\\DAV\\Connector\\Sabre\\{closure}","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":362,"function":"handle","class":"Sabre\\DAV\\PropFind","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"handleGetProperties","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1052,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":984,"function":"getPropertiesByNode","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1661,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1646,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":84,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":167,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.15.1","version":"21.0.1.1"} {"reqId":"4kdvflfH2p7DoOTbSKh8","level":3,"time":"2021-04-30T19:05:58+00:00","remoteAddr":"192.168.11.1","user":"username","app":"PHP","method":"PROPFIND","url":"/path/to/some/file","message":{"Exception":"Error","Message":"is_dir(): open_basedir restriction in effect. File(/bin) is not within the allowed path(s): (/var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/mnt/data/nextcloud/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient) at /var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php#62","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php","line":62,"function":"is_dir"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Helper.php","line":479,"function":"find","class":"Symfony\\Component\\Process\\ExecutableFinder","type":"->"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":424,"function":"findBinaryPath","class":"OC_Helper","type":"::"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":246,"function":"registerCoreProviders","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":361,"function":"isAvailable","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/PropFind.php","line":95,"function":"OCA\\DAV\\Connector\\Sabre\\{closure}","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":362,"function":"handle","class":"Sabre\\DAV\\PropFind","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"handleGetProperties","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1052,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":984,"function":"getPropertiesByNode","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1661,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1646,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":84,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":167,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.15.1","version":"21.0.1.1"} {"reqId":"4kdvflfH2p7DoOTbSKh8","level":3,"time":"2021-04-30T19:05:58+00:00","remoteAddr":"192.168.11.1","user":"username","app":"PHP","method":"PROPFIND","url":"/path/to/some/file","message":{"Exception":"Error","Message":"is_dir(): open_basedir restriction in effect. File(/opt/bin) is not within the allowed path(s): (/var/www/:/tmp/:/var/tmp/:/var/cache/:/var/lib/php/:/usr/share/webapps/php-apcu/:/var/lib/phptmp/:/mnt/data/nextcloud/:/var/lib/nextcloud/:/usr/bin/ffmpeg:/usr/bin/sendmail:/usr/bin/smbclient) at /var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php#62","Code":0,"Trace":[{"function":"onError","class":"OC\\Log\\ErrorHandler","type":"::"},{"file":"/var/www/nextcloud/3rdparty/symfony/process/ExecutableFinder.php","line":62,"function":"is_dir"},{"file":"/var/www/nextcloud/lib/private/legacy/OC_Helper.php","line":479,"function":"find","class":"Symfony\\Component\\Process\\ExecutableFinder","type":"->"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":424,"function":"findBinaryPath","class":"OC_Helper","type":"::"},{"file":"/var/www/nextcloud/lib/private/PreviewManager.php","line":246,"function":"registerCoreProviders","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":361,"function":"isAvailable","class":"OC\\PreviewManager","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/PropFind.php","line":95,"function":"OCA\\DAV\\Connector\\Sabre\\{closure}","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->","args":["*** sensitive parameters replaced ***"]},{"file":"/var/www/nextcloud/apps/dav/lib/Connector/Sabre/FilesPlugin.php","line":362,"function":"handle","class":"Sabre\\DAV\\PropFind","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"handleGetProperties","class":"OCA\\DAV\\Connector\\Sabre\\FilesPlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1052,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":984,"function":"getPropertiesByNode","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1661,"function":"getPropertiesIteratorForPath","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":1646,"function":"writeMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/CorePlugin.php","line":346,"function":"generateMultiStatus","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/event/lib/WildcardEmitterTrait.php","line":89,"function":"httpPropFind","class":"Sabre\\DAV\\CorePlugin","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":472,"function":"emit","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":253,"function":"invokeMethod","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/3rdparty/sabre/dav/lib/DAV/Server.php","line":321,"function":"start","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php","line":84,"function":"exec","class":"Sabre\\DAV\\Server","type":"->"},{"file":"/var/www/nextcloud/remote.php","line":167,"args":["/var/www/nextcloud/apps/dav/appinfo/v1/webdav.php"],"function":"require_once"}],"File":"/var/www/nextcloud/lib/private/Log/ErrorHandler.php","Line":92,"CustomMessage":"--"},"userAgent":"Mozilla/5.0 (Android) Nextcloud-android/3.15.1","version":"21.0.1.1"} ```
christian-eriksson commented 3 years ago

I've narrowed it down to this line:

$result = $exeSniffer->find($program, null, ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin', '/bin', '/opt/bin']);

In the method findBinaryPath($program) in OC_Helper.php. It uses the Symfony framework's ExecutableFinder.php to search for executables using the find() method, for example the ffmpeg in the case of PreviewGenerator.

The way the find() method works (at the time of writing) is that it checks if the open_basedir directive is set. If it is it appends the $extraDirs, the list ['/usr/local/sbin', '/usr/local/bin', '/usr/sbin', '/usr/bin', '/sbin', '/bin', '/opt/bin'] in our case to the open_basedir and searches that for files. In doing this it will try to access files outside of open_basedir if the list of $extraDirs not overlap open_basedir.

It's not clear whether Symfony will correct this (I believe it to be a bug), but it would be possible to avoid these error logs by not sending the $extraDirs if the open_basedir is set. Alternatively one could write a new findBinaryPath method that doesn't rely on the Symfony framework.

szaimen commented 3 years ago

Hi there, do you mind creating a PR with a patch for discussion? Thank you!

christian-eriksson commented 3 years ago

@szaimen I'm looking at getting this fixed in Symfony, hopefully I can get a patch in there. I'm guessing this would be preferred over patching it here?

szaimen commented 3 years ago

Yes, fixing this upstream would be prefered. Thank you!

ghost commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity and seems to be missing some essential information. It will be closed if no further activity occurs. Thank you for your contributions.