DOMDocument->load external entity fail for local file with PHP-FPM - nginx

The following PHP "failed to load external entity", even though it is trying to load a local XML file:
<?php
$path = "/usr/share/pear/www/horde/config";
#libxml_disable_entity_loader(false);
$dom = new DOMDocument();
$v = $dom->load($path . '/conf.xml');
echo "status = ".($v?'success':'error')."\n";
?>
The basic question is how can this be fixed?
Log file:
2014/03/10 20:07:10 [error] 26117#0: *24 FastCGI sent in stderr: "PHP message: PHP Warning: DOMDocument::load(): I/O warning : failed to load external entity "/usr/share/pear/www/horde/config/conf.xml" in /usr/share/nginx/html/test.php on line 5
PHP message: PHP Stack trace:
PHP message: PHP 1. {main}() /usr/share/nginx/html/test.php:0
PHP message: PHP 2. DOMDocument->load() /usr/share/nginx/html/test.php:5" while reading response header from upstream, client: x.x.x.x, server: example.com, request: "GET /test.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "example.com"
Uncommenting the libxml_disable_entity_loader line works, but this is not an acceptable solution for a few reasons, e.g. it is systemwide for php-fpm.
Running the PHP from shell returns "status = success". Doing a file_get_contents and then $dom->loadXML($string) also works (i.e. file exists and not a permissions issue). This might be an acceptable workaround, but shouldn't be necessary and doesn't explain why the error is occurring.
The XML file itself is the Horde config, but the problem does not seem to be the contents of the file, since it also occurs with this XML content:
<?xml version="1.0"?>
<configuration></configuration>
Environment is php and php-fpm 5.3.3, nginx 1.4.6, libxml2 2.7.6. My first guess is something to do with php-fpm, but I can't find any config setting that affects this. Any pearls of wisdom appreciated!
EDIT TO ADD
Restarting php-fpm causes it to work briefly. Disabling APC did not seem to help. Seems like something with php-fpm - but what?
FURTHER TESTING
Some additional info:
I tried hitting the server repeatedly, and get an error about 80% of the time. The pattern isn't random - a few seconds of successes followed by a series of errors;
I added a phpinfo() to the end of the above php and doing a diff on the success and failure runs - there is no difference;
If I put libxml_disable_entity_loader(true), I seem to always get an error, which suggests that bug #64938 is at work.
It seems that I need to find why the XML is considered to have external entities.

I think that, if the external entity loader is disabled, it should be obvious that external entities can't be loaded. The only solution is to enable loading of external entities with libxml_disable_entity_loader(false). Since this setting is not thread-safe, I can see two approaches:
Enable it globally and use some other feature to prevent loading of unwanted entities (typically from a network):
Register your own entity loader with libxml_set_external_entity_loader. I think that's the safest solution.
Use the parse option LIBXML_NONET. This should be enough if you simply want to disable network access of libxml2. But you have to make sure to always pass it to calls like DOMDocument::load.
Use locks to protect calls to libxml_disable_entity_loader. This is probably impractical and potentially unsafe.

Related

Wordpress failed update plugins after core upgrade in a new server

I moved a WordPress site from a cpanel server to plesk server. Then, i upgraded manualy the site from 3.5.1 version to 4.8.3. Afterwards i tried to upgrade plugins (fancy box) as well as to intall new plugins (contact form 7).
The issue i have is that i get the following error message "Update Failed: Download failed. Destination directory for file streaming does not exist or is not writable.".
In the server's log file i can see few warning like the following one
mod_fcgid: stderr: PHP Warning: file_exists(): open_basedir restriction in effect. File(/home/dentist/domains/dentist.com.gr/public_html/newsite/wp-content/uploads//easy-fancybox.1.6.2-Vlaovu.tmp) is not within the allowed path(s): (/var/www/vhosts/ggeorgiou.gr/ggeorgiou.work/:/tmp/) in /var/www/vhosts/ggeorgiou.gr/ggeorgiou.work/wd/dentist.com.gr/wp-includes/functions.php on line 2085, referer: http://www.ggeorgiou.work/wd/dentist.com.gr/wp-admin/plugins.php
Finally, note that in "Settings --> Media" menu in "
Store uploads in this folder" field i have put the following path of the current server: "/var/www/vhosts/ggeorgiou.gr/ggeorgiou.work/wd/dentist.com.gr/wp-content/uploads".
Any idea please what is wrong about?
Thank you
From what you posted, your exact error message is "open_basedir restriction in effect". You can read more about how to solve it here How can I relax PHP's open_basedir restriction?
Also,
Assuming you have a backup of the previous version, I would start by restoring that.
Secondly, there are many versions between 3.5.1 and 4.8.3. It is advisable to upgrade in increments of one version at a time. It is long but safer.

After upgrade attempting to get artifact results in "Could not process download request: Binary provider has no content for"

I recently upgraded our artifactory repository from 2.6.5 to the current version 5.4.6.
However, something seems to have gone wrong in the process. There are some artifacts that throw a HTTP 500 error when attempting to access them. Here is an example using wget:
wget http://xyz.server.com:8081/artifactory/gradle/org/jfrog/buildinfo/build-info-extractor-gradle/2.0.12/build-info-extractor-gradle-2.0.12.pom
--2017-09-12 12:17:13--
http://xyz.server.com:8081/artifactory/gradle/org/jfrog/buildinfo/build-info-extractor-gradle/2.0.12/build-info-extractor-gradle-2.0.12.pom
Resolving xyz.server.com (xyz.server.com)... 10.125.1.28
Connecting to xyz.server.com (xyz.server.com)|10.125.1.28|:8081... connected.
HTTP request sent, awaiting response... 500 Internal Server Error
2017-09-12 12:17:13 ERROR 500: Internal Server Error.
I verified this by going to the artifactory site, browsing to the object in question, and trying to download it. The result was the following:
{
"errors" : [ {
"status" : 500,
"message" : "Could not process download request: Binary provider has no content for 'e52a9a9a58d6829b7b13dd841af4b027c88bb028'"
} ]
}
The problem seems to be in the final step of the upgrade process, upgrading from 3.9.5 to 5.4.6. The wget command above works on 3.9.5, but not on the 5.4.6 instance.
I found a reference to a "Zap Cache" function in older documentation and thought it might fix things, but I don't seem to be able to find that function in the current site.
Is anyone able to point me to: a way to fix this issue, or what I need to do/look for in the upgrade process in order to prevent it from occurring?
As a further data point, we're using an Oracle database for the full file store, if that matters in any way (using the tag: <chain template="full-db"> in binarystore.xml)
Thanks in advance....

Jmeter: Response code: Non HTTP response code: javax.net.ssl.SSLHandshakeException

I have an application URL. I need to run login test using Jmeter. I recorded the login steps using blazemeter extension of chrome. But when I run it I get below error. I know there have been questions like this, I have tried few and it seems my case is different.
I have tried:
Added these two lines in jmeter.bat
set JAVA_HOME=C:\Program Files\Java\jdk1.8.0_65
set PATH=%JAVA_HOME%\bin;%PATH%
Run Jmeter using "Run as Administrator"
Download the certificate from here https://gist.github.com/borisguery/9ef114c53b83e553b635 and install it this way
https://www.youtube.com/watch?v=2k581jcWk9M
Restart the Jmeter but and try again but no luck.
When I expand the error in Jmeter View tree listener I get error on this particular css file: https://abcurl.xyzsample.com/assets/loginpage/css/okta-sign-in.min.7c7cfd15fa939095d61912dd8000a2a8.css
Error:
Thread Name: Thread Group 1-1
Load time: 268
Connect Time: 0
Latency: 0
Size in bytes: 2256
Headers size in bytes: 0
Body size in bytes: 2256
Sample Count: 1
Error Count: 1
Response code: Non HTTP response code: javax.net.ssl.SSLHandshakeException
Response message: Non HTTP response message: Received fatal alert: handshake_failure
Response headers:
HTTPSampleResult fields:
ContentType:
DataEncoding: null
If you are getting error for only one .css file and it does not belong to the application under test (i.e. it is an external stylesheet) the best thing you could do is just to exclude it from the load test via URLs must match section which lives under "Advanced" tab of the HTTP Request Defaults configuration element.
If you need to load this .css by any means you could also try the following approaches:
Play with https.default.protocol and https.socket.protocols properties (look for the above lines in jmeter.properties) file
Install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files into /jre/lib/security folder of your JRE or JDK home (replace existing files with the downloaded ones)
If your url needs a client certificate, then copy your cert to /bin folder and from the jmeter console if you go to options -> SSL Manager and select your cert , it would prompt you for the certificate password . And if you run your tests again , that should work .
Additionally you can also do keystore configuraion (http://jmeter.apache.org/usermanual/component_reference.html#Keystore_Configuration) , if you haven't done already .
Please Note that my jmeter version is 4.0 . Hope this helps .

Nginx + FastCGI + PHP (php-fpm) not logging caught errors/warnings

FastCGI doesn't want to log PHP errors properly. Well, that's not entirely true: it logs errors fine, with a little fiddling; it just won't log anything else, such as warnings.
The notorious FastCGI -> Nginx log bug isn't an issue, necessarily. Errors and warnings from php-fpm go straight to Nginx--but only if they're uncaught. That is, if set_error_handler successfully intercepts an error, no log entry is appended. This means that I can see parse errors, but that's about it.
php-fpm doesn't log PHP errors by itself (separate from nginx) without a bit of a hack. php-fpm's instance configuration file includes these two lines by default:
php_admin_value[error_log] = /mnt/log/php-fpm/default.log
php_admin_flag[log_errors] = on
I changed the error_log path, obviously. I had to add the following line to get it to actually log anything:
php_admin_value[error_reporting] = E_ALL & ~E_DEPRECATED & ~E_STRICT
Version note: the E_STRICT part is unnecessary, as I'm using PHP 5.3.27, but I plan on upgrading to 5.4 at some point. With this line, it logs errors--and only errors--to /mnt/log/php-fpm/default.log. Now, this sets error_reporting to the same value that I have set in php.ini, so something is obviously wrong here. In addition, it doesn't log caught errors: the behavior is identical to that of the nginx log. I tried using the numeric value (22527) instead, but still no luck.
I don't care in which log file the entries end up (nginx versus php-fpm), but I do need caught errors to be logged somewhere. I could resort to injecting my own error and exception handlers, but that's a bit hackish, so I'd rather avoid that.
I use this directive in the pool configuration file for PHP-FPM:
catch_workers_output = yes

MAMP include error wp-blog-header.php

I'm trying to use the global $wpdb in a plugin to insert data into one of my tables.
From the docs it sounds like I just need to include wp-blog-header.php
However when I try to do so I'm getting an error.
PHP Fatal error: require() [function.require]: Failed opening required 'http://localhost:8888/blog/wp-blog-header.php' (include_path='.:/Applications/MAMP/bin/php/php5.3.6/lib/php') in /Applications/MAMP/htdocs/blog/wp-content/plugins/pluginname/submit/pick.php on line 4
My pluginname/submit/pick.php (which is called by AJAX) has the following code
<?php
$p = 'http://localhost:8888/blog/wp-blog-header.php';
echo $p;
require($p);
echo 'hi';
?>
If I load the pick.php, I see http://localhost:8888/blog/wp-blog-header.php and that is it. So it must be failing on the require, as the error log confirms.
The path is correct as I inserted a quick echo into wp-blog-header.php, and copy pasted the output from pick.php into the address bar and it worked.
Any help would be appreciated.
You don't include php files via urls. What you'll be including is the EXECUTED OUTPUT of the script. Since it's a full-blown url, there's no difference between your internal require() and someone hitting that url with a browser. All you'll get is the output of the script, which is probably blank/nothing.
Including via urls, even if it's just a local request to your own server, opens a whole can of worms in terms of security holes.
Any reason you can't simply include it via a normal local file request, e.g.
require('blog/wp-blog-header.php');
?

Resources