Resolve relative paths to absolute before validation to avoid open_basedir warnings#272
Conversation
with this order, the code won't reach the relative path. The realtive path might break open_basedir restrictions during second composer install.
Suggested fix from PR - with tests
|
@rodrigoprimo As you took a look at the issue and suggested the direction for this PR (and @srebb looks to have made the changes you suggested - thanks!), would you like to review this PR ? |
|
Thanks to all involved people for your support. I like the suggested idea, so the PR is updated. I suggest to fix the two failing tests in another branch, since they are failing due to external changes in the latest images. |
Agreed, those tests are set up to be "allowed to fail" and serve as an early warning system for changes upstream. If the test failures persist, we may want to report an issue upstream about what we are observing, but those tests failing on this PR is definitely not a blocker. 👍🏻 |
rodrigoprimo
left a comment
rodrigoprimo
left a comment
There was a problem hiding this comment.
Thanks for updating the PR to incorporate the suggested approach, @srebb! The change to Plugin.php looks correct to me.
The PR title and description still describe the original order-swap approach rather than what the PR actually does now. I suggested updating them to reflect the current implementation.
I also left a few inline comments for us to discuss.
srebb
changed the title
Co-authored-by: Rodrigo Primo <rodrigosprimo@gmail.com>
rodrigoprimo
left a comment
rodrigoprimo
left a comment
There was a problem hiding this comment.
Thanks for applying the change that I suggested to the code comment, and sorry for the delay in checking this PR again, @srebb.
After Juliette's remarks about the test structure, I now checked the tests themselves more carefully. I left two inline comments with nitpicks. Other than that, this PR looks good to me.
|
FYI: as Composer just tagged the 2.10.0-RC release, I have now opened an issue about the problem we are seeing when running the tests with Composer "snapshot". |
rodrigoprimo
left a comment
rodrigoprimo
left a comment
There was a problem hiding this comment.
Thanks for making those changes, @srebb. This PR looks good to me.
* Rename `testPreexistingValidRelativeInstalledPathsConfigIsKept()` to `testPreexistingValidRelativeInstalledPathsConfigIsKeptIntact()` to be in line with the pre-existing `testPreexistingValidAbsoluteInstalledPathsConfigIsKeptIntact()` test. * Move the test up in the file.
|
Thanks for all your work on this @srebb ! All good from me. I did push an extra commit to re-order the tests and sync the name of the new "valid" test. Before
After
@Potherca Would you still like to take a look at this ? Release plan:
That way, this fix will be available to users using PHP < 7.2, as support for PHP < 7.2 will be dropped in v @Potherca Agreed on this plan ? |
|
@jrfnl All good, go for it! |
4 participants
When
installed_pathsin the PHPCS configuration contains relative paths, subsequentcomposer installruns can trigger PHPopen_basedirrestriction warnings. This happens becauseis_dir()is called directly on the relative path, which may fall outside the allowedopen_basedirdirectories.Proposed Changes
Resolve relative paths to absolute paths (using the PHPCS install path as the base directory) before validating them with
is_dir()andis_readable(). This ensures path checks operate on fully qualified paths that respectopen_basedirrestrictions.Related Issues
Closes #271
Suggested changelog entry
fix for open_basedir error during composer install