lessphp icon indicating copy to clipboard operation
lessphp copied to clipboard

Published 20 hours ago verified publisher icon leafo

http/https @import

Open vanderlee opened this issue 12 years ago • 5 comments

Current implementation may fail with @import statements of http:// and https:// URLs on open_basedir restrictions.

I've noticed a pull request for this issue, but it is a year old. Is there any chance of seeing this bug fixed any time soon or is there any fork which does keep up to date with bug fixes?

vanderlee avatar May 23 '13 20:05 vanderlee

I see less.js supports this now, I don't think it was a feature back when the original pull request was opened. I'll review the pull request again.

leafo avatar May 23 '13 21:05 leafo

Hi, I think I found solution. The $importDir should be an array, not an empty string:

    public $importDir = array();

Seems it's being manipulated by as an array, for example

        $this->importDir = (array)$this->importDir;
        array_unshift($this->importDir, $importDir);

and so it becomes

Array(
    [0] => ''
    [1] => 'realpath'
)

Later on in protected function findImport($url) this made up absolute paths like /../../../media/jui/less/reset.less which are out of open_basedir.

Another related Issue: findImport() issue

More details here: Warning: is_file is not within the allowed path(s)

piotr-cz avatar Jul 04 '13 09:07 piotr-cz

Ahh.. it works with the above solution - could this be implemented in the next release ?

rbuelund avatar Aug 26 '13 13:08 rbuelund

This still seems to be an issue, is there a particular reason the above solution has not been applied?

jamesjwarren avatar Aug 06 '14 16:08 jamesjwarren

I think the issue in \lessc::compileFile:

$this->importDir[] = realpath($pi['dirname']).'/';

realpath can return false, and $this->importDir will get '/'.

Directory also should be readable (executable, -x permission).

stepanselyuk avatar Dec 04 '14 05:12 stepanselyuk