Sanity check failed for source: Path is outside allowed path

  • Resolved schnorz

    (@schnorz)


    5 years, 5 months ago

    Hi after latest update most pictures on my site are not loading any more. I found a .htaccess file in patch wp-content with only webp in it.

    After deleting the file everything was working normally.

    I tried to restore old file .htaccess from older version of webp – but got me same error.

    Now i have webp disabled but would like to continue use. Any hints?

    Thanks schnorz

Viewing 15 replies - 16 through 30 (of 46 total)
  • Plugin Author rosell.dk

    (@roselldk)

    Regarding the “Sanity check failed for source: Path is outside allowed path” message, it is generated by a call to

    SanityCheck::absPathExistsAndIsFileInDocRoot in either wod/webp-on-demand.php or wod/webp-realizer.php.

    To debug, you can start replacing each of them with the less strict “SanityCheck::absPathExistsAndIsFile”.
    When you find the one that makes it work, you can supply print debug information afte the now successful call.

    ie:

    
echo $source;
echo 'doc root:' . $docRoot;
exit;
    Plugin Author rosell.dk

    (@roselldk)

    I can reproduce the bug with symlinked folder. On it!

    Plugin Author rosell.dk

    (@roselldk)

    Ah, it was the file, not the folder that needed realpath()

    Plugin Author rosell.dk

    (@roselldk)

    The only problem is that using realpath to expand symbolic links only works when the file exists. And the path to the destination is validated too (and it does most often not exist for webp-on-demand.php).

    It can be solved, but just takes a bit longer. In that case I can compare against document root which has not had its symbolic links expanded.

    • This reply was modified 5 years, 5 months ago by rosell.dk.
    • This reply was modified 5 years, 5 months ago by rosell.dk.

    It’s possible to fix errors when replace .jpg to .webm in full size image? /2019/06/image.jpg -> /2019/06/image.webm is displaying that error:
    Fatal error: Uncaught Error: Class 'WebPExpress\ValidateException' not found in .../webp-express/wod/webp-realizer.php:113 Stack trace: #0 .../webp-express/wod/webp-realizer.php(212): WebPExpress\WebPRealizer::process() #1 {main} thrown in /.../webp-express/wod/webp-realizer.php on line 113
    I got enabled: File Extension: Set to “.webp”

    Plugin Author rosell.dk

    (@roselldk)

    @youdidnt: Are you using 0.14.13 ?

    Oops forgot to update, it’s working in 0.14.13

    Plugin Author rosell.dk

    (@roselldk)

    I have fixed failures on systems with symlinked folders. At least on the test setup I have got. It is in the new release, 0.14.14

    David (@sultanicq): Can you please verify that it is fixed?

    Hi,

    It still fails, but I’ve managed to fix it. I’ll give you the solution to see if you think it’s right.

    On the one hand, I pass the content of the variable $webExpressContentDirAbs (“webp-on-demand.php approx. line 90”) through realpath function.

    $webExpressContentDirAbs = realpath( $webExpressContentDirAbs);

    Just before calling ConvertHelperIndependent::serveConverted I do the same with both “$source” and “$destination” vars (approx. line 211)

    $source = realpath( $source );
    $destination = realpath(dirname($destination)) . DIRECTORY_SEPARATOR . basename($destination);

    And now I can obtain webp images.

    Plugin Author rosell.dk

    (@roselldk)

    realpath(dirname($destination)) will work when the destination folder is the same as the source (because surely the dir exists, because the source file is supposed to be in that dir), but it will not work if it is separate.

    Even with the “destination folder” set to mingled, there are images that will be stored in a separate folder (any image that isn’t in the upload folder)

    So we need to come up with another solution

    • This reply was modified 5 years, 5 months ago by rosell.dk.
    Plugin Author rosell.dk

    (@roselldk)

    @sultanicq: are you on Nginx or Apache? And have you located which of the methods for retrieving $source is used? I mean, which of these are executed in your setup?

    
if (isset($_SERVER['HTTP_REQFN'])) {
  // this one? - passing through environment var
}
if (isset($_GET['xsource-rel'])) {
  // this one? - passing through Query String
}
if (
    (stripos($_SERVER["SERVER_SOFTWARE"], 'nginx') !== false) &&
    (isset($_GET['source']) || isset($_GET['xsource']))
) {
  // this one? - for Nginx
} else {
  // or this one? - the fallback, using $_SERVER['REQUEST_URI']
}
    Plugin Author rosell.dk

    (@roselldk)

    I’m closing in…

    It is the ConvertHelperIndependent::serveConverted who makes some checks for as well (overkill: yes).

    I’m changing the SanityCheck::absPathIsInDocRoot method so it both tries with realpath and without

    • This reply was modified 5 years, 5 months ago by rosell.dk.
    Plugin Author rosell.dk

    (@roselldk)

    @sultanicq: I think I have it working now. Can I email you the changed files so you can test it before I release it? You can email me at: [email protected]

    • This reply was modified 5 years, 5 months ago by rosell.dk.

    Neither of them. The $source is set from:

    $source = self::getEnvPassedInRewriteRule(‘REQFN’);
    if ($source !== false) {
    $source = SanityCheck::absPathExistsAndIsFile($source);

    Plugin Author rosell.dk

    (@roselldk)

    Hopefully fixed in 0.14.15, which I just released

Viewing 15 replies - 16 through 30 (of 46 total)
  • The topic ‘Sanity check failed for source: Path is outside allowed path’ is closed to new replies.