View Issue Details

Related ChangesetsJump to NotesJump to History
This bug affects 1 person(s).
 252
IDProjectCategoryView StatusDate SubmittedLast Update
12011Feature requestsSecuritypublic2016-12-19 18:122017-09-22 10:59
ReporterDenisChenu Assigned ToDenisChenu  
PrioritynoneSeverityfeature 
Status closedResolutionfixed 
Fixed in Version2.x.x 
Summary12011: Need an updatable runtime path
Description

Currently all files in tmp are accessible by default.

For example : log files is saved in temp/runtime, template preview file in tmp

tmp/assets : must be public , web accessible
tmp/runtime : can contain information not to be published and can be private
tmp/upload : can contain information not to be published and can be private

Additional Information

Then i try to set tmp directory out of access : there only onse settings ... then assets must be in this directory too ....

In Yii runtime are in protected directory. It's difficult to set it elsewhere BY DEFAULT, but allow admin user to really secure LS seems a good idea.

PS : if we can move whole PHP file anywhere else it can be better (protected directory of Yii), but it's really more work.

Maybe use 2 tmps directory ? Default is the same ./tmp/ but runtime use $config['privatetmp'] and assets $config['tmp']

TagsNo tags attached.
Bug heat252
Story point estimate
Users affected %

Relationships

Relationship GraphDependency Graph
related to 12018 closedDenisChenu Bug reports Cache files are world-writable 

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2016-12-19 18:16

developer   ~42566

@ollehar : to really protect a directory files from web : the only solution ar to put out of directory of host (see php session file for example).

Then , the idea config-default:
$config['tempdirsecure'] = $config['tempdir'];

After just use tempdir when set runtime path or upload path (or some other).

By default : leave like curretly, but with manual: we can easily explain how to secure more LS.
ANd with some config.php instruction more.
DenisChenu

DenisChenu

2016-12-22 11:34

developer   ~42593

Maybe we just need
$config['runtimepath'] = $config[''tempdir''].'/runtime/';

See https://github.com/LimeSurvey/LimeSurvey/blob/master/application/core/LSYii_Application.php#L61

And we can do same for asset (but very less necessary)
DenisChenu

DenisChenu

2017-01-03 08:59

developer   ~42612

Fix committed to develop branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=21888
DenisChenu

DenisChenu

2017-01-03 09:09

developer   ~42613

https://manual.limesurvey.org/index.php?title=Optional_settings&type=revision&diff=69431&oldid=69362
DenisChenu

DenisChenu

2017-01-20 08:17

developer   ~42782

In fact : Yii already offer to set runtimePath : then best solution are :
set to $settings['tempdir'].'/runtime' only if it's not already set.

I do it for master and merge in develop after (because i know what problem happen : i update code at same place ).
DenisChenu

DenisChenu

2017-01-20 11:43

developer   ~42786

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=22153
DenisChenu

DenisChenu

2017-01-31 23:54

developer   ~42925

Fix committed to develop branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=22225
DenisChenu

DenisChenu

2017-02-20 17:28

developer   ~43038

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=22339

Related Changesets

LimeSurvey: develop 3a83f96f

2017-01-03 09:57

DenisChenu


Details Diff		 New feature 12011: updatable runtime path
Dev: todo : manual update		 Affected Issues
12011
mod - application/commands/console.php Diff File
mod - application/config/config-defaults.php Diff File
mod - application/core/LSYii_Application.php Diff File

LimeSurvey: master 64d7240f

2017-01-20 12:39

DenisChenu


Details Diff		 New feature 12011 : allow user to set runtimePath (Yii way) Affected Issues
12011
mod - application/controllers/InstallerController.php Diff File
mod - application/core/LSYii_Application.php Diff File

LimeSurvey: develop 1878a118

2017-02-01 00:39

DenisChenu


Details Diff		 New feature 12095 assetUrl and assetPath can be set in config.php
New feature 12011 : allow user to set runtimePath (Yii way)		 Affected Issues
12011, 12095
mod - application/config/config-defaults.php Diff File
mod - application/core/LSYii_Application.php Diff File
mod - index.php Diff File

LimeSurvey: master 9b45ea98

2017-02-20 18:23

DenisChenu


Details Diff		 Dev: New feature 12011 for console too
Dev: better system in develop, then quick fix		 Affected Issues
12011
mod - application/commands/console.php Diff File

Issue History

Date Modified Username Field Change
2016-12-19 18:12 DenisChenu New Issue
2016-12-19 18:16 DenisChenu Note Added: 42566
2016-12-22 02:06 DenisChenu Relationship added related to 12018
2016-12-22 11:34 DenisChenu Note Added: 42593
2016-12-25 15:49 DenisChenu Summary Separate tmp/public and tmp/private|protected => Need an updatatle runtime path
2016-12-25 15:49 DenisChenu Assigned To => DenisChenu
2016-12-25 15:49 DenisChenu Status new => assigned
2016-12-25 16:39 DenisChenu Summary Need an updatatle runtime path => Need an updatable runtime path
2017-01-03 08:59 DenisChenu Changeset attached => LimeSurvey develop 3a83f96f
2017-01-03 08:59 DenisChenu Note Added: 42612
2017-01-03 08:59 DenisChenu Resolution open => fixed
2017-01-03 08:59 DenisChenu Status assigned => resolved
2017-01-03 08:59 DenisChenu Fixed in Version => 3.0
2017-01-03 09:09 DenisChenu Status resolved => feedback
2017-01-03 09:09 DenisChenu Resolution fixed => reopened
2017-01-03 09:09 DenisChenu Note Added: 42613
2017-01-03 09:09 DenisChenu Status feedback => resolved
2017-01-03 09:09 DenisChenu Resolution reopened => fixed
2017-01-20 08:17 DenisChenu Status resolved => feedback
2017-01-20 08:17 DenisChenu Resolution fixed => reopened
2017-01-20 08:17 DenisChenu Note Added: 42782
2017-01-20 08:17 DenisChenu Status feedback => new
2017-01-20 08:17 DenisChenu Status new => assigned
2017-01-20 11:43 DenisChenu Changeset attached => LimeSurvey master 64d7240f
2017-01-20 11:43 DenisChenu Note Added: 42786
2017-01-21 14:02 DenisChenu Status assigned => resolved
2017-01-21 14:02 DenisChenu Resolution reopened => fixed
2017-01-21 14:02 DenisChenu Fixed in Version 3.0 =>
2017-01-31 23:54 DenisChenu Changeset attached => LimeSurvey develop 1878a118
2017-01-31 23:54 DenisChenu Note Added: 42925
2017-02-20 17:28 DenisChenu Changeset attached => LimeSurvey master 9b45ea98
2017-02-20 17:28 DenisChenu Note Added: 43038
2017-09-22 10:59 c_schmitz Status resolved => closed
2017-09-22 10:59 c_schmitz Fixed in Version => 2.x.x