Page MenuHomePhabricator

Fix superfluous Warning: is_executable(): open_basedir restriction in effect in /includes/GlobalFunctions.php on line 2809
Closed, DeclinedPublic


In MediaWiki 1.24 this error occurs at several places (e.g. after uploading an image, but also at a number of other occasions):

Warning: is_executable(): open_basedir restriction in effect. File(/bin/bash) is not within the allowed path(s): (list of the paths...) in /includes/GlobalFunctions.php on line 2809

The code is this:

function wfShellExec( $cmd, &$retval = null, $environ = array(),
	if ( is_executable( '/bin/bash' ) ) {

/bin/bash in fact is not in the allowed paths. However, wfShellExec() will work anyway! If the bash is not usable (like in my case), it is working as well (e.g. images are uploaded correctly, thumbnails are created correctly and so on). In this case - apart from the warning - the function is working as well. All this is_executable()-line in its current form is there for seems to be to create this warning...

I see two possible solutions:

  • Change this check to something else, which does not throw a warning.
  • Or (if that is not possible) at least suppress the error with something like @is_executable().

I prefer the first one, but I do not have the code for that right now. If necessary I can also live with the second one.

Event Timeline

Joergi123 raised the priority of this task from to Needs Triage.
Joergi123 updated the task description. (Show Details)
Joergi123 added a project: MediaWiki-Core-Team.
Joergi123 changed Security from none to None.
Joergi123 subscribed.

Yeah, the only solution is to edit apache config by adding php_admin_value open_basedir "/home/user:/bin/bash" what's not possible for shared hosting.

In the meantime, I have adjusted my configuration, so that I am no longer hit by this problem.

However, the issue remains. What I am saying is: wfShellExec() works anyway, even if /bin/bash is not executable. The check for is_executable() at least in this form only throws a warning, but does nothing else.

IMHO adding /bin/bash to open_basedir should not be recommended. This directive is often used to explicitly limit file system access for PHP. Allowing PHP to call a system shell doesn't sound like a good idea to me. (MW 1.26 here, the warning is logged 3 times for each picture upload, but no UI errors - only includes/ is never called, of course.)