[Bug]: lib/private/Template/ResourceLocator.php appears to look for files in not-allowed paths

[Pazu]

This issue respects the following points:

• [X] This is a bug, not a question or a configuration/webserver/proxy issue.
• [X] This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• [X] Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• [X] I agree to follow Nextcloud's Code of Conduct.

Bug description

At present I see a number of errors in the log pertaining to lib/private/Template/ResourceLocator.php attempting to access files in paths which are not allowed; indeed, which don't actually exist.

For example, it attempt to get a file whose path, from the web root, would be "webapps//core/l10n/en.js", which obviously doesn't exist. There is no "webapps" folder there and the path shouldn't include two consecutive slashes anyway (even if it works).

Comment 951119913 on Issue 27759 reports a quite similar error as well and suggests the Notes app is possibly to blame. In my case, however, the app is simply given as, "PHP".

In fact, this may come from viewing the Logging page itself. When I refresh that page, I see the standard set of four errors of this type (see "Additional info" for the other three filenames).

Steps to reproduce

Steps aren't necessarily relevant here. I don't know how to describe or set up the starting condition for this to occur.

Expected behavior

lib/private/Template/ResourceLocator.php should not attempt to access files in not-allowed paths.

Installation method

Community Manual installation with Archive

Nextcloud Server version

28

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Updated from a MINOR version (ex. 22.1 to 22.2)

Are you using the Nextcloud Server Encryption module?

Encryption is Enabled

What user-backends are you using?

• [X] Default user-backend (database)
• [ ] LDAP/ Active Directory
• [ ] SSO - SAML
• [ ] Other

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "28.0.4.1",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbtableprefix": "oc_",
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "ldapIgnoreNamingRules": false,
        "forcessl": true,
        "maintenance": false,
        "singleuser": false,
        "theme": "",
        "defaultapp": "files",
        "knowledgebaseenabled": true,
        "appstoreenabled": true,
        "updatechecker": true,
        "updater.server.url": "https:\/\/updates.nextcloud.com\/updater_server\/",
        "has_internet_connection": true,
        "check_for_working_webdav": true,
        "check_for_working_htaccess": true,
        "check_for_working_wellknown_setup": true,
        "loglevel": 0,
        "trusted_domains": [
            "chopin.impromptu.at"
        ],
        "cron_log": true,
        "secret": "***REMOVED SENSITIVE VALUE***",
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "trashbin_retention_obligation": "auto",
        "htaccess.RewriteBase": "\/",
        "asset-pipeline.enabled": true,
        "session_keepalive": true,
        "overwrite.cli.url": "https:\/\/chopin.impromptu.at",
        "updater.release.channel": "stable",
        "app_install_overwrite": [
            "calendar",
            "occweb",
            "spreed",
            "passwords"
        ],
        "encryption.legacy_format_support": false,
        "default_phone_region": "AT",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379
        },
        "mysql.utf8mb4": true,
        "mail_sendmailmode": "smtp",
        "mail_smtpsecure": "ssl",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": 1,
        "updater.secret": "***REMOVED SENSITIVE VALUE***"
    }
}

List of activated Apps

Enabled:
  - activity: 2.20.0
  - calendar: 4.6.7
  - cloud_federation_api: 1.11.0
  - comments: 1.18.0
  - contacts: 5.5.3
  - contactsinteraction: 1.9.0
  - dashboard: 7.8.0
  - dav: 1.29.1
  - encryption: 2.16.0
  - federatedfilesharing: 1.18.0
  - federation: 1.18.0
  - files: 2.0.0
  - files_mindmap: 0.0.30
  - files_reminders: 1.1.0
  - files_sharing: 1.20.0
  - files_trashbin: 1.18.0
  - files_versions: 1.21.0
  - firstrunwizard: 2.17.0
  - logreader: 2.13.0
  - lookup_server_connector: 1.16.0
  - nextcloud_announcements: 1.17.0
  - notes: 4.9.4
  - notifications: 2.16.0
  - oauth2: 1.16.3
  - password_policy: 1.18.0
  - passwords: 2024.3.20
  - phonetrack: 0.7.7
  - photos: 2.4.0
  - privacy: 1.12.0
  - provisioning_api: 1.18.0
  - recommendations: 2.0.0
  - related_resources: 1.3.0
  - serverinfo: 1.18.0
  - settings: 1.10.1
  - sharebymail: 1.18.0
  - spreed: 18.0.5
  - support: 1.11.1
  - survey_client: 1.16.0
  - systemtags: 1.18.0
  - tasks: 0.15.0
  - text: 3.9.1
  - theming: 2.3.0
  - twofactor_backupcodes: 1.17.0
  - updatenotification: 1.18.0
  - user_status: 1.8.1
  - viewer: 2.2.0
  - weather_status: 1.8.0
  - workflowengine: 2.10.0
Disabled:
  - admin_audit: 1.18.0
  - bruteforcesettings: 2.8.0 (installed 1.2.0)
  - circles: 28.0.0 (installed 0.19.5)
  - files_external: 1.20.0
  - files_pdfviewer: 2.9.0 (installed 0.5)
  - files_rightclick: 0.15.1 (installed 1.6.0)
  - suspicious_login: 6.0.0
  - twofactor_totp: 10.0.0-beta.2
  - user_ldap: 1.19.0 (installed 0.3.0.0)

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

{"reqId":"tSd9ynXoO4Dadf9eMMas","level":3,"time":"2024-03-31T06:41:04+00:00","remoteAddr":"62.178.177.26","user":"gkolanek","app":"PHP","method":"GET","url":"/settings/admin/logging","message":"is_file(): open_basedir restriction in effect. File(/artificial/path/to/web/root/webapps//core/l10n/en.js) is not within the allowed path(s): (/artificial/path/to/web/root/web:/artificial/path/to/web/root/private:/artificial/path/to/web/root/tmp:/var/www/www.example.com/web:/srv/www/www.example.com/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom) at /artificial/path/to/web/root/web/lib/private/Template/ResourceLocator.php#100","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0","version":"28.0.4.1","data":{"app":"PHP"},"id":"66090582b7648"}

Additional info

Other files looked for at the time same and which also generate errors:

• webapps//core/l10n/en.mjs
• webapps//core/js/merged-template-prepend.js
• webapps//core/js/merged-template-prepend.mjs

[kesselb]

Should be fixed by https://github.com/nextcloud/server/pull/44408

[susnux]

Yes will be fixed with 28.0.5