When you run a command with setCWD(...) (which ultimately resolves to a cwd parameter to proc_open()) and the process is unable to switch to the specified cwd, the command runs in the current CWD without raising any errors.
This script lists the current directory:
epriestley@orbital ~ $ cat test.php <?php $spec = array(); $pipes = array(); $result = proc_open( 'ls', $spec, $pipes, '/does/not/exist'); var_dump($result);
epriestley@orbital ~ $ php -f test.php resource(4) of type (process) ABBYY Desktop Dropbox Music dbdump.db out.2 test.php Applications Documents Library Pictures dev scans Creative Cloud Files Downloads Movies Public out.1 src
Normally this is okay-ish because most commands just fail when run in the wrong directory, but some commands (like git fetch +refs/*:refs/* or rm ...) may be very dangerous.
There doesn't seem to be any way to detect or prevent this that I can see. Ideally, proc_open would fail abruptly if changing the CWD failed. Two things we could do:
- Test if the CWD exists before running the command. It's still possible that the directory is removed between our check and the proc_open().
- Explicitly chdir() somewhere "safe" before running any CWD commands, so if they mess up they're less likely to destroy anything? This gets complicated because it's a side effect that the caller may not really expect or anticipate. We (probably?) don't rely on on CWD anywhere in web Phabricator, but the various CLI scripts do.