mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-22 13:30:55 +01:00
Improve setup process to detect 'open_basedir', 'date.timezone' and 'safe_mode'
problems Summary: Detect more PHP misconfigurations in setup. Test Plan: Broke my configuration, ran setup, it seemed to detect all the problems and issue meaningful error messages. Reviewed By: jungejason Reviewers: hunterbridges, 10098, jungejason, tuomaspelkonen, aran CC: aran, jungejason Differential Revision: 717
This commit is contained in:
parent
da8beefa6c
commit
26bca41828
2 changed files with 113 additions and 2 deletions
|
@ -31,6 +31,93 @@ class PhabricatorSetup {
|
||||||
self::write("This setup mode will guide you through setting up your ".
|
self::write("This setup mode will guide you through setting up your ".
|
||||||
"Phabricator configuration.\n");
|
"Phabricator configuration.\n");
|
||||||
|
|
||||||
|
self::writeHeader("CORE CONFIGURATION");
|
||||||
|
|
||||||
|
// NOTE: Test this first since other tests depend on the ability to
|
||||||
|
// execute system commands and will fail if safe_mode is enabled.
|
||||||
|
$safe_mode = ini_get('safe_mode');
|
||||||
|
if ($safe_mode) {
|
||||||
|
self::writeFailure();
|
||||||
|
self::write(
|
||||||
|
"Setup failure! You have 'safe_mode' enabled. Phabricator will not ".
|
||||||
|
"run in safe mode, and it has been deprecated in PHP 5.3 and removed ".
|
||||||
|
"in PHP 5.4.\n");
|
||||||
|
return;
|
||||||
|
} else {
|
||||||
|
self::write(" okay PHP's deprecated 'safe_mode' is disabled.\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
// NOTE: Also test this early since we can't include files from other
|
||||||
|
// libraries if this is set strictly.
|
||||||
|
|
||||||
|
$open_basedir = ini_get('open_basedir');
|
||||||
|
if ($open_basedir) {
|
||||||
|
|
||||||
|
// 'open_basedir' restricts which files we're allowed to access with
|
||||||
|
// file operations. This might be okay -- we don't need to write to
|
||||||
|
// arbitrary places in the filesystem -- but we need to access certain
|
||||||
|
// resources. This setting is unlikely to be providing any real measure
|
||||||
|
// of security so warn even if things look OK.
|
||||||
|
|
||||||
|
try {
|
||||||
|
phutil_require_module('phutil', 'utils');
|
||||||
|
$open_libphutil = true;
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$message = $ex->getMessage();
|
||||||
|
self::write("Unable to load modules from libphutil: {$message}\n");
|
||||||
|
$open_libphutil = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
phutil_require_module('arcanist', 'workflow/base');
|
||||||
|
$open_arcanist = true;
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$message = $ex->getMessage();
|
||||||
|
self::write("Unable to load modules from Arcanist: {$message}\n");
|
||||||
|
$open_arcanist = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$open_urandom = @fopen('/dev/urandom', 'r');
|
||||||
|
if (!$open_urandom) {
|
||||||
|
self::write("Unable to open /dev/urandom!\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
try {
|
||||||
|
$tmp = new TempFile();
|
||||||
|
file_put_contents($tmp, '.');
|
||||||
|
$open_tmp = @fopen((string)$tmp, 'r');
|
||||||
|
} catch (Exception $ex) {
|
||||||
|
$message = $ex->getMessage();
|
||||||
|
$dir = sys_get_temp_dir();
|
||||||
|
self::write("Unable to open temp files from '{$dir}': {$message}\n");
|
||||||
|
$open_tmp = false;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!$open_urandom || !$open_tmp || !$open_libphutil || !$open_arcanist) {
|
||||||
|
self::writeFailure();
|
||||||
|
self::write(
|
||||||
|
"Setup failure! Your server is configured with 'open_basedir' in ".
|
||||||
|
"php.ini which prevents Phabricator from opening files it needs to ".
|
||||||
|
"access. Either make the setting more permissive or remove it. It ".
|
||||||
|
"is unlikely you derive significant security benefits from having ".
|
||||||
|
"this configured; files outside this directory can still be ".
|
||||||
|
"accessed through system command execution.");
|
||||||
|
return;
|
||||||
|
} else {
|
||||||
|
self::write(
|
||||||
|
"[WARN] You have an 'open_basedir' configured in your php.ini. ".
|
||||||
|
"Although the setting seems permissive enough that Phabricator ".
|
||||||
|
"will run properly, you may run into problems because of it. It is ".
|
||||||
|
"unlikely you gain much real security benefit from having it ".
|
||||||
|
"configured, because the application can still access files outside ".
|
||||||
|
"the 'open_basedir' by running system commands.\n");
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
self::write(" okay 'open_basedir' is not set.\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
self::write("[OKAY] Core configuration OKAY.\n");
|
||||||
|
|
||||||
self::writeHeader("REQUIRED PHP EXTENSIONS");
|
self::writeHeader("REQUIRED PHP EXTENSIONS");
|
||||||
$extensions = array(
|
$extensions = array(
|
||||||
'mysql',
|
'mysql',
|
||||||
|
@ -163,6 +250,22 @@ class PhabricatorSetup {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$timezone = nonempty(
|
||||||
|
PhabricatorEnv::getEnvConfig('phabricator.timezone'),
|
||||||
|
ini_get('date.timezone'));
|
||||||
|
if (!$timezone) {
|
||||||
|
self::writeFailure();
|
||||||
|
self::write(
|
||||||
|
"Setup failure! Your configuration fails to specify a server ".
|
||||||
|
"timezone. Either set 'date.timezone' in your php.ini or ".
|
||||||
|
"'phabricator.timezone' in your Phabricator configuration. See the ".
|
||||||
|
"PHP documentation for a list of supported timezones:\n\n".
|
||||||
|
"http://us.php.net/manual/en/timezones.php\n");
|
||||||
|
return;
|
||||||
|
} else {
|
||||||
|
self::write(" okay Timezone '{$timezone}' configured.\n");
|
||||||
|
}
|
||||||
|
|
||||||
self::write("[OKAY] Basic configuration OKAY\n");
|
self::write("[OKAY] Basic configuration OKAY\n");
|
||||||
|
|
||||||
|
|
||||||
|
@ -372,12 +475,19 @@ class PhabricatorSetup {
|
||||||
$local_key = 'storage.local-disk.path';
|
$local_key = 'storage.local-disk.path';
|
||||||
$local_path = PhabricatorEnv::getEnvConfig($local_key);
|
$local_path = PhabricatorEnv::getEnvConfig($local_key);
|
||||||
if ($local_path) {
|
if ($local_path) {
|
||||||
if (!Filesystem::pathExists($local_path) || !is_writable($local_path)) {
|
if (!Filesystem::pathExists($local_path) ||
|
||||||
|
!is_readable($local_path) ||
|
||||||
|
!is_writable($local_path)) {
|
||||||
self::writeFailure();
|
self::writeFailure();
|
||||||
self::write(
|
self::write(
|
||||||
"Setup failure! You have configured local disk storage but the ".
|
"Setup failure! You have configured local disk storage but the ".
|
||||||
"path you specified ('{$local_path}') does not exist or is not ".
|
"path you specified ('{$local_path}') does not exist or is not ".
|
||||||
"writable.\n");
|
"readable or writable.\n");
|
||||||
|
if ($open_basedir) {
|
||||||
|
self::write(
|
||||||
|
"You have an 'open_basedir' setting -- make sure Phabricator is ".
|
||||||
|
"allowed to open files in the local storage directory.\n");
|
||||||
|
}
|
||||||
return;
|
return;
|
||||||
} else {
|
} else {
|
||||||
self::write(" okay Local disk storage exists and is writable.\n");
|
self::write(" okay Local disk storage exists and is writable.\n");
|
||||||
|
|
|
@ -13,6 +13,7 @@ phutil_require_module('phabricator', 'storage/connection/mysql');
|
||||||
phutil_require_module('phabricator', 'storage/queryfx');
|
phutil_require_module('phabricator', 'storage/queryfx');
|
||||||
|
|
||||||
phutil_require_module('phutil', 'filesystem');
|
phutil_require_module('phutil', 'filesystem');
|
||||||
|
phutil_require_module('phutil', 'filesystem/tempfile');
|
||||||
phutil_require_module('phutil', 'future/exec');
|
phutil_require_module('phutil', 'future/exec');
|
||||||
phutil_require_module('phutil', 'moduleutils');
|
phutil_require_module('phutil', 'moduleutils');
|
||||||
phutil_require_module('phutil', 'parser/uri');
|
phutil_require_module('phutil', 'parser/uri');
|
||||||
|
|
Loading…
Reference in a new issue