You are here

function update_manager_local_transfers_allowed in Drupal 10

Same name and namespace in other branches
  1. 8 core/modules/update/update.manager.inc \update_manager_local_transfers_allowed()
  2. 7 modules/update/update.manager.inc \update_manager_local_transfers_allowed()
  3. 9 core/modules/update/update.manager.inc \update_manager_local_transfers_allowed()

Determines if file transfers will be performed locally.

If the server is configured such that webserver-created files have the same owner as the configuration directory (e.g., sites/default) where new code will eventually be installed, the update manager can transfer files entirely locally, without changing their ownership (in other words, without prompting the user for FTP, SSH or other credentials).

This server configuration is an inherent security weakness because it allows a malicious webserver process to append arbitrary PHP code and then execute it. However, it is supported here because it is a common configuration on shared hosting, and there is nothing Drupal can do to prevent it.

Return value

TRUE if local file transfers are allowed on this server, or FALSE if not.

See also

install_check_requirements()

1 call to update_manager_local_transfers_allowed()
_update_manager_check_backends in core/modules/update/update.manager.inc
Checks for file transfer backends and prepares a form fragment about them.

File

core/modules/update/update.manager.inc, line 315
Administrative screens and processing functions of the Update Manager module.

Code

function update_manager_local_transfers_allowed() {
  $file_system = \Drupal::service('file_system');

  // Compare the owner of a webserver-created temporary file to the owner of
  // the configuration directory to determine if local transfers will be
  // allowed.
  $temporary_file = \Drupal::service('file_system')
    ->tempnam('temporary://', 'update_');
  $site_path = \Drupal::getContainer()
    ->getParameter('site.path');
  $local_transfers_allowed = fileowner($temporary_file) === fileowner($site_path);

  // Clean up. If this fails, we can ignore it (since this is just a temporary
  // file anyway).
  @$file_system
    ->unlink($temporary_file);
  return $local_transfers_allowed;
}