[Bug]: open_basedir restriction in effect

[Ap4uuk]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration/webserver/proxy issue.
• This issue is not already reported on Github OR Nextcloud Community Forum (I've searched it).
• Nextcloud Server is up to date. See Maintenance and Release Schedule for supported versions.
• I agree to follow Nextcloud's Code of Conduct.

Bug description

Good night. updated to Nextcloud Hub 8 beta (29.0.0 beta 3), we have the following problem, log spam error was passed/before applications, php 8.2 open_basedir=none or ;open_basedir configuration is not giving results, help(

Steps to reproduce

1. update to Nextcloud Hub 8 beta (29.0.0 beta 3)
2. check the system log

Expected behavior

1. update to Nextcloud Hub 8 beta (29.0.0 beta 3)
2. no error of this problem

Installation method

Community Web installer on a VPS or web space

Nextcloud Server version

29

Operating system

Debian/Ubuntu

PHP engine version

PHP 8.2

Web server

Apache (supported)

Database engine version

MySQL

Is this bug present after an update or on a fresh install?

Upgraded to a MAJOR version (ex. 22 to 23)

Are you using the Nextcloud Server Encryption module?

Encryption is Disabled

What user-backends are you using?

• Default user-backend (database)
• LDAP/ Active Directory
• SSO - SAML
• Other

Configuration report

{
    "system": {
        "passwordsalt": "***REMOVED SENSITIVE VALUE***",
        "secret": "***REMOVED SENSITIVE VALUE***",
        "trusted_domains": {
            "0": "localhost",
            "2": "nextcloud.imw-rpg.ru"
        },
        "datadirectory": "***REMOVED SENSITIVE VALUE***",
        "dbtype": "mysql",
        "version": "29.0.0.9",
        "overwrite.cli.url": "https:\/\/nextcloud.imw-rpg.ru\/",
        "dbname": "***REMOVED SENSITIVE VALUE***",
        "dbhost": "***REMOVED SENSITIVE VALUE***",
        "dbport": "",
        "dbtableprefix": "oc_",
        "mysql.utf8mb4": true,
        "dbuser": "***REMOVED SENSITIVE VALUE***",
        "dbpassword": "***REMOVED SENSITIVE VALUE***",
        "installed": true,
        "instanceid": "***REMOVED SENSITIVE VALUE***",
        "default_phone_region": "RU",
        "memcache.local": "\\OC\\Memcache\\APCu",
        "memcache.distributed": "\\OC\\Memcache\\Redis",
        "memcache.locking": "\\OC\\Memcache\\Redis",
        "redis": {
            "host": "***REMOVED SENSITIVE VALUE***",
            "port": 6379,
            "dbindex": 0,
            "password": "***REMOVED SENSITIVE VALUE***",
            "timeout": 1.5
        },
        "mail_from_address": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpmode": "smtp",
        "mail_sendmailmode": "smtp",
        "mail_domain": "***REMOVED SENSITIVE VALUE***",
        "mail_smtphost": "***REMOVED SENSITIVE VALUE***",
        "mail_smtpport": "465",
        "mail_smtpsecure": "ssl",
        "mail_smtpauth": 1,
        "mail_smtpname": "***REMOVED SENSITIVE VALUE***",
        "mail_smtppassword": "***REMOVED SENSITIVE VALUE***",
        "maintenance_window_start": "05:00 UTC",
        "maintenance": false,
        "theme": "",
        "loglevel": 3,
        "updater.release.channel": "beta",
        "twofactor_enforced": "false",
        "twofactor_enforced_groups": [],
        "twofactor_enforced_excluded_groups": [],
        "app_install_overwrite": [
            "richdocumentscode"
        ]
    }
}

List of activated Apps

Enabled:
  - activity: 2.21.1
  - admin_audit: 1.19.0
  - bruteforcesettings: 2.9.0
  - calendar: 4.7.0-beta.2
  - circles: 29.0.0-dev
  - cloud_federation_api: 1.12.0
  - comments: 1.19.0
  - contacts: 6.0.0-rc.1
  - contactsinteraction: 1.10.0
  - dashboard: 7.9.0
  - dav: 1.30.0
  - federatedfilesharing: 1.19.0
  - federation: 1.19.0
  - files: 2.1.0
  - files_accesscontrol: 1.19.0
  - files_automatedtagging: 1.19.0
  - files_downloadlimit: 2.0.0
  - files_external: 1.21.0
  - files_reminders: 1.2.0
  - files_sharing: 1.21.0
  - files_trashbin: 1.19.0
  - groupfolders: 17.0.0-beta.1
  - logreader: 2.14.0
  - lookup_server_connector: 1.17.0
  - mail: 3.6.0-beta.2
  - nextcloud_announcements: 1.18.0
  - notifications: 2.17.0
  - oauth2: 1.17.0
  - password_policy: 1.19.0
  - photos: 2.5.0
  - privacy: 1.13.0
  - provisioning_api: 1.19.0
  - serverinfo: 1.19.0
  - settings: 1.12.0
  - sharebymail: 1.19.0
  - spreed: 19.0.0-beta.2
  - support: 1.12.0
  - survey_client: 1.17.0
  - theming: 2.4.0
  - twofactor_backupcodes: 1.18.0
  - twofactor_totp: 11.0.0-dev
  - updatenotification: 1.19.1
  - user_status: 1.9.0
  - viewer: 2.3.0
  - weather_status: 1.9.0
  - workflowengine: 2.11.0
Disabled:
  - encryption: 2.17.0 (installed 2.17.0)
  - files_pdfviewer: 2.10.0 (installed 2.9.0)
  - files_versions: 1.22.0 (installed 1.21.0)
  - firstrunwizard: 2.18.0 (installed 2.17.0)
  - recommendations: 2.1.0 (installed 2.0.0)
  - related_resources: 1.4.0 (installed 1.3.0)
  - suspicious_login: 7.0.0
  - systemtags: 1.19.0 (installed 1.18.0)
  - text: 3.10.0 (installed 3.10.0)
  - user_ldap: 1.20.0

Nextcloud Signing status

No errors have been found.

Nextcloud Logs

[PHP] Error: is_file(): open_basedir restriction in effect. File(/home/amores/web/xxxxx/public_htmlapps//core/l10n/ru.js) is not within the allowed path(s): (/home/amores/.composer:/home/amores/web/xxxxx/public_html:/home/amores/web/xxxxx/private:/home/amores/web/xxxxx/public_shtml:/home/amores/tmp:/tmp:/var/www/html:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt) at /home/amores/web/xxxxx/public_html/lib/private/Template/ResourceLocator.php#100
	GET /index.php/settings/admin/logging
	на xxxxx от Ap4uuk в 20 мар. 2024 г., 16:15:38
=======================================================================================================
{"reqId":"SymWdC61SCqFyK12mr40","level":3,"time":"2024-03-20T13:15:38+00:00","remoteAddr":"xxxxx","user":"Ap4uuk","app":"PHP","method":"GET","url":"/index.php/settings/admin/logging","message":"is_file(): open_basedir restriction in effect. File(/home/amores/web/xxxxx/public_htmlapps//core/l10n/ru.js) is not within the allowed path(s): (/home/amores/.composer:/home/amores/web/xxxxx/public_html:/home/amores/web/xxxxx/private:/home/amores/web/xxxxx/public_shtml:/home/amores/tmp:/tmp:/var/www/html:/bin:/usr/bin:/usr/local/bin:/usr/share:/opt) at /home/amores/web/xxxxx/public_html/lib/private/Template/ResourceLocator.php#100","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 YaBrowser/24.1.0.0 Safari/537.36","version":"29.0.0.9","data":{"app":"PHP"},"id":"65fae17b6c1ed"}

Additional info

config php =
; open_basedir, if set, limits all file operations to the defined directory
; and below.  This directive makes most sense if used in a per-directory
; or per-virtualhost web server configuration file.
; Note: disables the realpath cache
; http://php.net/open-basedir
;open_basedir = None

[SystemKeeper]

File(/home/amores/web/xxxxx/public_htmlapps//core/l10n/ru.js)

note the missing / between public_html and apps (also seen at the community)

@susnux Feels like this comes from 51ea3de#diff-e4e6e52eff461126ba40be8331fd739565e4325e80a6fcdd95f43c4fd8891681R55 ?

Seems like $SERVERROOT is always without a trailing slash:

server/lib/base.php

Line 601 in c451829

OC::$SERVERROOT = str_replace("\\", '/', substr(__DIR__, 0, -4));

Ref: https://www.php.net/manual/en/language.constants.magic.php#constant.dir

[susnux]

This was only moved, so it was already broken before. But I will of course have a look.

[SystemKeeper]

This was only moved, so it was already broken before.

I think it worked before, because a / was added at

server/lib/private/Template/ResourceLocator.php

Lines 99 to 105 in a7dfec0

	protected function appendIfExist($root, $file, $webRoot = null) {
	if ($root !== false && is_file($root.'/'.$file)) {
	$this->append($root, $file, $webRoot, false);
	return true;
	}
	return false;
	}