search

swooletw / laravel-swoole

High performance HTTP server based on Swoole. Speed up your Laravel or Lumen applications.
MIT License
4.04k stars 390 forks source link

Static resources via symlink no longer work #481

Open aftabnaveed opened 3 years ago

aftabnaveed commented 3 years ago

Make sure you read Issues Guideline and answer these questions before submitting your issue. Thanks! (Any non-English issues will be closed immediately.)

  1. Please provide your PHP and Swoole version. (php -v and php --ri swoole)

PHP 8.0.3 (cli) (built: Mar 4 2021 05:33:14) ( NTS ) Copyright (c) The PHP Group Zend Engine v4.0.3, Copyright (c) Zend Technologies

Swoole => enabled Author => Swoole Team team@swoole.com Version => 4.6.4 Built => Mar 30 2021 15:39:43

  1. Please provide your Laravel/Lumen version.

Laravel 8.

  1. Which release version of this package are you using?

  2. What did you do? If possible, provide a recipe for reproducing the error. Created a Symlink in /public folder and set SWOOLE_HANDLE_STATIC to true in .env

  3. What did you expect to see? Expected to be able to see the static file from a symlink

  4. What did you see instead? 404 Not Found

It looks like the following Merge broke the static resources served via symlink.

https://github.com/swooletw/laravel-swoole/commit/96a93e93b5a97a6aefa6b6dfa5e2b346c9fb4af9#diff-5c6e8c22956d54a6193a50ec2c2ca80a8b2be45efa15faa70a2e5f9d0f29d380

 $fileName = @realpath($publicPath . $uri);

The above line in SwooleTW\Http\Transformers\Request now returns the real path of the file, and then on line 196 it compares it against public path which does not match, returns false and hence will not serve the static file. 

if (substr($fileName, 0, strlen($publicPath)) != $publicPath) {
            return false;
}
Arkanius commented 3 years ago

Hello, thanks for reporting this issue.

Well, looks it will always be false indeed

Introduced at https://github.com/swooletw/laravel-swoole/pull/462

We should find a better way to fix the lfi issue by changing this if

aftabnaveed commented 3 years ago

I think the issue is this line $fileName = @realpath($publicPath . $uri); realpath is a system call which resolves symlink to it's original value.

Arkanius commented 3 years ago

Looks we could apply the realpath in both cases

Arkanius commented 3 years ago

Maybe we could use the "finder": https://github.com/laravel/octane/pull/112/files

aftabnaveed commented 3 years ago

How would that fix the symlink problem?

aftabnaveed commented 3 years ago

BTW why is realpath being used here?

Arkanius commented 3 years ago

see https://github.com/swooletw/laravel-swoole/pull/462