Author Topic: Unable to download extensions (Read 2919 times)

Martin Fuggle · December 03, 2014, 06:55:45 pm

When I try to download extensions I get the following warning/error:

WARNING: The downloader may be unable to download files which require HTTP redirection. This may be a configuration issue with PHP's open_basedir or safe_mode.

I am using Drupal 7 and CiviCRM 4.5.2. Before I make any changes I would like to understand why I am getting these errors now when they have not been present before (although I am not sure when!)

Any help would be appreciated.

Cheers
Martin Fuggle

totten · December 03, 2014, 09:39:09 pm

The root issue is that the extension downloader relies on php-curl to perform downloads, but php-curl has a limitation: php-curl does not support HTTP redirects ("CURLOPT_FOLLOWLOCATION") when PHP safe_mode/open_basedir is active. (This is, of course, a bizarre limitation in PHP.) safe_mode/open_basedir are not used by default on most systems, but some sysadmins prefer to use them.

This is an issue because many extensions are distributed through github.com; unfortunately, the download service on github.com generates HTTP redirects. Thus, many extensions cannot be downloaded if a system has PHP safe_mode/open_basedir.

Civi 4.5 attempts to detect this situation and generate semi-relevant messages. Specifically, it includes a test to see if a redirection is supported; if that test fails, then it will display warnings and avoid any attempts at redirection.

https://github.com/civicrm/civicrm-core/blob/4.5/CRM/Utils/HttpClient.php#L219
https://github.com/civicrm/civicrm-core/blob/4.5/CRM/Utils/HttpClient.php#L203

It's possible that your PHP runtime doesn't support redirects -- but you never had problems in 4.4 b/c you didn't download anything which actually required a redirect. It's also possible that isRedirectSupported() produces a false-negative on your system. The only way to figure out which is inspecting/hacking/experimenting with the conditionals in isRedirectSupported() on your particular system.

Ideally, one could make the whole problem go away by removing the reliance on php-curl's flaky CURLOPT_FOLLOWLOCATION. It's possible to write some PHP code which does the same thing as CURLOPT_FOLLOWLOCATION. (One might write a patch for CRM_Utils_HttpClient or bring in an alternative client like https://github.com/guzzle/guzzle ) But no one has had time/incentive to do the write+QA that.

(Related: https://issues.civicrm.org/jira/browse/CRM-14126 )

Martin Fuggle · December 03, 2014, 09:53:50 pm

Many thanks for such a comprehensive response. I have a dev copy running on my local machine and don't have the same issue. Obviously the Apache/Php settings are different in my dev and prod environments. Is there some way that I can change the safe_mode/open_basedir settings in the prod environment to solve this without side consequences?

totten · December 03, 2014, 10:58:20 pm

You can generally edit the php.ini for your webserver to disable open_basedir/safe_mode. The file location varies, so you might do a search like this (for most Linux distros):

Code: [Select]

grep -r safe_mode /etc/php* /etc/nginx* /etc/apache* /etc/http*
grep -r open_basedir /etc/php* /etc/nginx* /etc/apache* /etc/http*

Disabling safe_mode/open_basedir shouldn't break any functionality. However, it could have other consequences -- so it's good to understand what it is before disabling it.

http://php.net/manual/en/ini.sect.safe-mode.php#ini.safe-mode
http://php.net/manual/en/ini.core.php#ini.open-basedir

safe_mode/open_basedir is a security mechanism which puts PHP code in a sandbox. It was designed for shared-hosting (i.e. one webserver, one Unix user, but many different web/PHP applications which should not be allowed to interfere with each other) and may have some security benefit in other cases. But it's a hassle. Now-a-days, most people prefer other sandboxing techniques (virtualization, containers, mod_itk, fastcgi-with-different-users, AppArmor, etc) which are more comprehensive *and* less hassle. That doesn't make safe_mode pointless... if you need sandboxing and don't have anything else, then you might want to keep it around. But it is deprecated in PHP 5.3.

Upperholme · December 16, 2014, 01:34:17 am

I've had the same issues with open_basedir on one of the hosts I use. Interestingly Drupal seems happy enough to download modules without coming up against this issue. I wonder why CivicRM doesn't use the same approach?

Martin Fuggle · December 16, 2014, 01:47:36 am

Couldn't agree more. However this was never the case with CiviCRM in the past and I am not sure when or why it started.

Upperholme · December 16, 2014, 03:05:32 am

Chatting with my hosting provider on this issue: I think that on balance the use of open_basedir makes a lot of sense. And given totten's comment about removing the reliance on php-curl's flaky CURLOPT_FOLLOWLOCATION, to my mind it would be far better for CiviCRM to utilise approaches that don't rely on flaky foundations, and which also encourage users to remove perfectly sensible security features like open_basedir.

My current approach to this issue: I'm keeping open_basedir in place which improves security on my server, I'll work around the fact that that stance breaks Civi's UI, and will wait for CiviCRM to fix it.

totten · December 16, 2014, 03:57:26 am

Quote from: Upperholme on December 16, 2014, 01:34:17 am

Interestingly Drupal seems happy enough to download modules without coming up against this issue. I wonder why CivicRM doesn't use the same approach?

Quote from: totten on December 03, 2014, 09:39:09 pm

Ideally, one could make the whole problem go away by removing the reliance on php-curl's flaky CURLOPT_FOLLOWLOCATION. It's possible to write some PHP code which does the same thing as CURLOPT_FOLLOWLOCATION. (One might write a patch for CRM_Utils_HttpClient or bring in an alternative client like https://github.com/guzzle/guzzle ) But no one has had time/incentive to do the write+QA that.

Drupal does what I've suggested above -- they don't rely on php-curl (which is flaky and has this bug with open_basedir+FOLLOWLOCATION). Specifically, D4-D7 takes the first path: they wrote their own code to do the same thing ("drupal_http_request"). D8 takes the second path: it brings in an alternative client (Guzzle). It would be great for Civi to do either of these. We just need someone to do the legwork.

xavier · December 16, 2014, 06:14:38 am

For what I understand, It's not civi that relies on flaky foundation (arguably, curlopt_followlocation is weird to stop if safemode). I personally think open_basedir is NOT a good solution and as it's deprecated, it seems to be the majority opinion (probably why the followlocation hasn't been checked/corrected). If you want to improve the security of your server, they are other solutions that are way more effective.

But if you think replacing the curl based solution with something else is worthwhile, could you investigate further?

On my side, I'm toying with docker (so one container for nginx, one for mysql and one per website(fastcgi). Still haven't found a solution I like to manage the configuration, but as an approach seems much less flaky than open_basedir (that is deprecated and removed in php 5.4;)

X+

totten · December 16, 2014, 04:19:17 pm

re: docker: Agree that it looks pretty promising. It's a particularly nice idea to have a standard baseline vis-a-vis PHP versions/configurations/libraries so that we don't have to deal with edge-cases like this one, and so far Docker seems like the most vendor-neutral way to accomplish that. (You can run Docker on Debian/Ubuntu/Redhat; on a local machine, a dedicated server, and most public clouds; with puppet or chef or salt or nothing. The main gap -- OSX+Win support are weird.)

JoeMurray · March 18, 2015, 01:33:17 pm

So I've run into this for the first time today.

Checking with phpinfo() I see that I've properly set
safe_mode Off Off
and, after removing some stuff inserted by the control panel into Apache configuration files,
open_basedir no value no value

but still get the error.

It is making a difference, since the listed error is followed by:
Connection Error
The CiviCRM public extensions directory at https://civicrm.org/extdir/ver=4.5.5|cms=Drupal could not be contacted - please check your webserver can make external HTTP requests or contact CiviCRM team on CiviCRM forum.

and
No Extensions Available for this Version
There are currently no extensions on the CiviCRM public extension directory which are compatible with version 4.5.5 (requested extensions from here). If you want to install an extension which is not marked as compatible, you may be able to download and install extensions manually (depending on access to your web server).

As I don't have much time, I'm just going to manually download the extension I want to the server. But want to indicate this is a problem.

CiviCRM Community Forums (archive)

News:

Author Topic: Unable to download extensions (Read 2919 times)

Martin Fuggle

Unable to download extensions

totten

Re: Unable to download extensions

Martin Fuggle

Re: Unable to download extensions

totten

Re: Unable to download extensions

Upperholme

Re: Unable to download extensions

Martin Fuggle

Re: Unable to download extensions

Upperholme

Re: Unable to download extensions

totten

Re: Unable to download extensions

xavier

Re: Unable to download extensions

totten

Re: Unable to download extensions

JoeMurray

Re: Unable to download extensions