12175: Open base dir restriction disable export of xlsx - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

12175	Bug reports	Import/Export	public	2017-03-07 19:19	2017-03-07 23:41

Reporter	DenisChenu	Assigned To	DenisChenu
Priority	none	Severity	minor
Status	closed	Resolution	duplicate
Product Version	2.64.x

Summary	12175: Open base dir restriction disable export of xlsx
Description	xlsx export use /tmp as default temp directory : then Open base dir restriction disable export (white page with debug=0)
Steps To Reproduce	Set your open base dir restriction (or set a false ftm directory in vhost) Try to export
Additional Information	runtimePath is the good path to use For all export in fact : currently use tmp, but must use runtimePath for temporary files. Looking at xlsx code : seems file is not deleted too : must fix it.
Tags	No tags attached.
Attached Files	PHP warning.html (26,033 bytes) <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title>PHP warning</title> <style type="text/css"> /<![CDATA[/ html,body,div,span,applet,object,iframe,h1,h2,h3,h4,h5,h6,p,blockquote,pre,a,abbr,acronym,address,big,cite,code,del,dfn,em,font,img,ins,kbd,q,s,samp,small,strike,strong,sub,sup,tt,var,b,u,i,center,dl,dt,dd,ol,ul,li,fieldset,form,label,legend,table,caption,tbody,tfoot,thead,tr,th,td{border:0;outline:0;font-size:100%;vertical-align:baseline;background:transparent;margin:0;padding:0;} body{line-height:1;} ol,ul{list-style:none;} blockquote,q{quotes:none;} blockquote:before,blockquote:after,q:before,q:after{content:none;} :focus{outline:0;} ins{text-decoration:none;} del{text-decoration:line-through;} table{border-collapse:collapse;border-spacing:0;} body { font: normal 9pt "Verdana"; color: #000; background: #fff; } h1 { font: normal 18pt "Verdana"; color: #f00; margin-bottom: .5em; } h2 { font: normal 14pt "Verdana"; color: #800000; margin-bottom: .5em; } h3 { font: bold 11pt "Verdana"; } pre { font: normal 11pt Menlo, Consolas, "Lucida Console", Monospace; } pre span.error { display: block; background: #fce3e3; } pre span.ln { color: #999; padding-right: 0.5em; border-right: 1px solid #ccc; } pre span.error-ln { font-weight: bold; } .container { margin: 1em 4em; } .version { color: gray; font-size: 8pt; border-top: 1px solid #aaa; padding-top: 1em; margin-bottom: 1em; } .message { color: #000; padding: 1em; font-size: 11pt; background: #f3f3f3; -webkit-border-radius: 10px; -moz-border-radius: 10px; border-radius: 10px; margin-bottom: 1em; line-height: 160%; } .source { margin-bottom: 1em; } .code pre { background-color: #ffe; margin: 0.5em 0; padding: 0.5em; line-height: 125%; border: 1px solid #eee; } .source .file { margin-bottom: 1em; font-weight: bold; } .traces { margin: 2em 0; } .trace { margin: 0.5em 0; padding: 0.5em; } .trace.app { border: 1px dashed #c00; } .trace .number { text-align: right; width: 2em; padding: 0.5em; } .trace .content { padding: 0.5em; } .trace .plus, .trace .minus { display:inline; vertical-align:middle; text-align:center; border:1px solid #000; color:#000; font-size:10px; line-height:10px; margin:0; padding:0 1px; width:10px; height:10px; } .trace.collapsed .minus, .trace.expanded .plus, .trace.collapsed pre { display: none; } .trace-file { cursor: pointer; padding: 0.2em; } .trace-file:hover { background: #f0ffff; } /]]>/ </style> </head> <body> <div class="container"> <h1>PHP warning</h1> <p class="message"> tempnam(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/var/www/restricted) </p> <div class="source"> <p class="file">/var/www/restricted/survey/application/third_party/xlsx_writer/xlsxwriter.class.php(53)</p> <div class="code"><pre><span class="ln">41</span> public function __destruct() <span class="ln">42</span> { <span class="ln">43</span> if (!empty($this->temp_files)) { <span class="ln">44</span> foreach($this->temp_files as $temp_file) { <span class="ln">45</span> @unlink($temp_file); <span class="ln">46</span> } <span class="ln">47</span> } <span class="ln">48</span> } <span class="ln">49</span> <span class="ln">50</span> protected function tempFilename() <span class="ln">51</span> { <span class="ln">52</span> $tempdir = !empty($this->tempdir) ? $this->tempdir : sys_get_temp_dir(); <span class="error"><span class="ln error-ln">53</span> $filename = tempnam($tempdir, "xlsx_writer_"); </span><span class="ln">54</span> $this->temp_files[] = $filename; <span class="ln">55</span> return $filename; <span class="ln">56</span> } <span class="ln">57</span> <span class="ln">58</span> public function writeToStdOut() <span class="ln">59</span> { <span class="ln">60</span> $temp_file = $this->tempFilename(); <span class="ln">61</span> self::writeToFile($temp_file); <span class="ln">62</span> readfile($temp_file); <span class="ln">63</span> } <span class="ln">64</span> <span class="ln">65</span> public function writeToString() </pre></div> </div> <div class="traces"> <h2>Stack Trace</h2> <table style="width:100%;"> <tr class="trace app expanded"> <td class="number"> #0 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/third_party/xlsx_writer/xlsxwriter.class.php(53): <strong>tempnam</strong>("/tmp", "xlsx_writer_") </div> <div class="code"><pre><span class="ln">48</span> } <span class="ln">49</span> <span class="ln">50</span> protected function tempFilename() <span class="ln">51</span> { <span class="ln">52</span> $tempdir = !empty($this->tempdir) ? $this->tempdir : sys_get_temp_dir(); <span class="error"><span class="ln error-ln">53</span> $filename = tempnam($tempdir, "xlsx_writer_"); </span><span class="ln">54</span> $this->temp_files[] = $filename; <span class="ln">55</span> return $filename; <span class="ln">56</span> } <span class="ln">57</span> <span class="ln">58</span> public function writeToStdOut() </pre></div> </td> </tr> <tr class="trace app expanded"> <td class="number"> #1 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/third_party/xlsx_writer/xlsxwriter.class.php(117): <strong>XLSXWriter</strong>-><strong>tempFilename</strong>() </div> <div class="code"><pre><span class="ln">112</span> { <span class="ln">113</span> //if already initialized <span class="ln">114</span> if ($this->current_sheet==$sheet_name \|\| isset($this->sheets[$sheet_name])) <span class="ln">115</span> return; <span class="ln">116</span> <span class="error"><span class="ln error-ln">117</span> $sheet_filename = $this->tempFilename(); </span><span class="ln">118</span> $sheet_xmlname = 'sheet' . (count($this->sheets) + 1).".xml"; <span class="ln">119</span> $this->sheets[$sheet_name] = (object)array( <span class="ln">120</span> 'filename' => $sheet_filename, <span class="ln">121</span> 'sheetname' => $sheet_name, <span class="ln">122</span> 'xmlname' => $sheet_xmlname, </pre></div> </td> </tr> <tr class="trace app expanded"> <td class="number"> #2 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/third_party/xlsx_writer/xlsxwriter.class.php(205): <strong>XLSXWriter</strong>-><strong>initializeSheet</strong>("OLD SG GTS 2016") </div> <div class="code"><pre><span class="ln">200</span> public function writeSheetRow($sheet_name, array $row, $style=null) <span class="ln">201</span> { <span class="ln">202</span> if (empty($sheet_name) \|\| empty($row)) <span class="ln">203</span> return; <span class="ln">204</span> <span class="error"><span class="ln error-ln">205</span> self::initializeSheet($sheet_name); </span><span class="ln">206</span> $sheet = &$this->sheets[$sheet_name]; <span class="ln">207</span> if (empty($sheet->columns)) <span class="ln">208</span> { <span class="ln">209</span> $sheet->columns = $this->initializeColumnTypes( array_fill($from=0, $until=count($row), 'GENERAL') );//will map to n_auto <span class="ln">210</span> } </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #3 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/helpers/admin/export/ExcelWriter.php(62): <strong>XLSXWriter</strong>-><strong>writeSheetRow</strong>("OLD SG GTS 2016", array("Response ID", "Date submitted", "Last page", "Start language", ...)) </div> <div class="code"><pre><span class="ln">57</span> protected function outputRecord($headers, $values, FormattingOptions $oOptions) <span class="ln">58</span> { <span class="ln">59</span> if (!$this->hasOutputHeader) <span class="ln">60</span> { <span class="ln">61</span> $columnCounter = 0; <span class="error"><span class="ln error-ln">62</span> $this->workbook->writeSheetRow($this->currentSheet, $headers ); </span><span class="ln">63</span> $this->hasOutputHeader = true; <span class="ln">64</span> } <span class="ln">65</span> $this->workbook->writeSheetRow($this->currentSheet, $values ); <span class="ln">66</span> } <span class="ln">67</span> </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #4 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/helpers/admin/export/Writer.php(339): <strong>ExcelWriter</strong>-><strong>outputRecord</strong>(array("Response ID", "Date submitted", "Last page", "Start language", ...), array("1637", "2016-05-23 12:12:30", "1", "en", ...), FormattingOptions) </div> <div class="code"><pre><span class="ln">334</span> $elementArray[]=$value; <span class="ln">335</span> } <span class="ln">336</span> } <span class="ln">337</span> if ($oOptions->output=='display') <span class="ln">338</span> { <span class="error"><span class="ln error-ln">339</span> $this->outputRecord($headers, $elementArray, $oOptions); </span><span class="ln">340</span> } else { <span class="ln">341</span> $sFile.=$this->outputRecord($headers, $elementArray, $oOptions); <span class="ln">342</span> } <span class="ln">343</span> } <span class="ln">344</span> return $sFile; </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #5 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/helpers/admin/exportresults_helper.php(111): <strong>Writer</strong>-><strong>write</strong>(SurveyObj, "en", FormattingOptions, true) </div> <div class="code"><pre><span class="ln">106</span> $survey = $surveyDao->loadSurveyById($iSurveyId, $sLanguageCode); <span class="ln">107</span> $writer->init($survey, $sLanguageCode, $oOptions); <span class="ln">108</span> <span class="ln">109</span> $surveyDao->loadSurveyResults($survey, $oOptions->responseMinRecord, $oOptions->responseMaxRecord, $sFilter, $oOptions->responseCompletionState); <span class="ln">110</span> <span class="error"><span class="ln error-ln">111</span> $writer->write($survey, $sLanguageCode, $oOptions,true); </span><span class="ln">112</span> $result = $writer->close(); <span class="ln">113</span> <span class="ln">114</span> // Close resultset if needed <span class="ln">115</span> if ($survey->responses instanceof CDbDataReader) { <span class="ln">116</span> $survey->responses->close(); </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #6 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/controllers/admin/export.php(315): <strong>ExportSurveyResultsService</strong>-><strong>exportSurvey</strong>("86654", "en", "xls", FormattingOptions, ...) </div> <div class="code"><pre><span class="ln">310</span> } <span class="ln">311</span> else <span class="ln">312</span> $sFilter=''; <span class="ln">313</span> <span class="ln">314</span> viewHelper::disableHtmlLogging(); <span class="error"><span class="ln error-ln">315</span> $resultsService->exportSurvey($iSurveyID, $explang, $sExportType, $options, $sFilter); </span><span class="ln">316</span> <span class="ln">317</span> exit; <span class="ln">318</span> } <span class="ln">319</span> <span class="ln">320</span> /* </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #7 </td> <td class="content"> <div class="trace-file">  unknown(0): <strong>export</strong>-><strong>exportresults</strong>() </div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #8 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/framework/web/actions/CAction.php(109): <strong>ReflectionMethod</strong>-><strong>invokeArgs</strong>(export, array()) </div> <div class="code"><pre><span class="ln">104</span> elseif($param->isDefaultValueAvailable()) <span class="ln">105</span> $ps[]=$param->getDefaultValue(); <span class="ln">106</span> else <span class="ln">107</span> return false; <span class="ln">108</span> } <span class="error"><span class="ln error-ln">109</span> $method->invokeArgs($object,$ps); </span><span class="ln">110</span> return true; <span class="ln">111</span> } <span class="ln">112</span> } </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #9 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/core/Survey_Common_Action.php(99): <strong>CAction</strong>-><strong>runWithParamsInternal</strong>(export, ReflectionMethod, array("sa" => "exportresults", "surveyid" => "86654", "statfilter" => "", "iSurveyId" => "86654", ...)) </div> <div class="code"><pre><span class="ln">094</span> $oMethod = new ReflectionMethod($this, $sDefault); <span class="ln">095</span> } <span class="ln">096</span> <span class="ln">097</span> // We're all good to go, let's execute it <span class="ln">098</span> // runWithParamsInternal would automatically get the parameters of the method and populate them as required with the params <span class="error"><span class="ln error-ln">099</span> return parent::runWithParamsInternal($this, $oMethod, $params); </span><span class="ln">100</span> } <span class="ln">101</span> <span class="ln">102</span> /** <span class="ln">103</span> * Some functions have different parameters, which are just an alias of the <span class="ln">104</span> * usual parameters we're getting in the url. This function just populates </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #10 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/framework/web/CController.php(308): <strong>Survey_Common_Action</strong>-><strong>runWithParams</strong>(array("sa" => "exportresults", "surveyid" => "86654", "statfilter" => "")) </div> <div class="code"><pre><span class="ln">303</span> { <span class="ln">304</span> $priorAction=$this->_action; <span class="ln">305</span> $this->_action=$action; <span class="ln">306</span> if($this->beforeAction($action)) <span class="ln">307</span> { <span class="error"><span class="ln error-ln">308</span> if($action->runWithParams($this->getActionParams())===false) </span><span class="ln">309</span> $this->invalidActionParams($action); <span class="ln">310</span> else <span class="ln">311</span> $this->afterAction($action); <span class="ln">312</span> } <span class="ln">313</span> $this->_action=$priorAction; </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #11 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/framework/web/CController.php(286): <strong>CController</strong>-><strong>runAction</strong>(export) </div> <div class="code"><pre><span class="ln">281</span> * @see runAction <span class="ln">282</span> / <span class="ln">283</span> public function runActionWithFilters($action,$filters) <span class="ln">284</span> { <span class="ln">285</span> if(empty($filters)) <span class="error"><span class="ln error-ln">286</span> $this->runAction($action); </span><span class="ln">287</span> else <span class="ln">288</span> { <span class="ln">289</span> $priorAction=$this->_action; <span class="ln">290</span> $this->_action=$action; <span class="ln">291</span> CFilterChain::create($this,$action,$filters)->run(); </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #12 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/framework/web/CController.php(265): <strong>CController</strong>-><strong>runActionWithFilters</strong>(export, array()) </div> <div class="code"><pre><span class="ln">260</span> { <span class="ln">261</span> if(($parent=$this->getModule())===null) <span class="ln">262</span> $parent=Yii::app(); <span class="ln">263</span> if($parent->beforeControllerAction($this,$action)) <span class="ln">264</span> { <span class="error"><span class="ln error-ln">265</span> $this->runActionWithFilters($action,$this->filters()); </span><span class="ln">266</span> $parent->afterControllerAction($this,$action); <span class="ln">267</span> } <span class="ln">268</span> } <span class="ln">269</span> else <span class="ln">270</span> $this->missingAction($actionID); </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #13 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/application/controllers/AdminController.php(159): <strong>CController</strong>-><strong>run</strong>("export") </div> <div class="code"><pre><span class="ln">154</span> $this->redirect(array('/admin/authentication/sa/login')); <span class="ln">155</span> } <span class="ln">156</span> <span class="ln">157</span> } <span class="ln">158</span> <span class="error"><span class="ln error-ln">159</span> return parent::run($action); </span><span class="ln">160</span> } <span class="ln">161</span> <span class="ln">162</span> /* <span class="ln">163</span> * Routes all the actions to their respective places <span class="ln">164</span> * </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #14 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/framework/web/CWebApplication.php(282): <strong>AdminController</strong>-><strong>run</strong>("export") </div> <div class="code"><pre><span class="ln">277</span> { <span class="ln">278</span> list($controller,$actionID)=$ca; <span class="ln">279</span> $oldController=$this->_controller; <span class="ln">280</span> $this->_controller=$controller; <span class="ln">281</span> $controller->init(); <span class="error"><span class="ln error-ln">282</span> $controller->run($actionID); </span><span class="ln">283</span> $this->_controller=$oldController; <span class="ln">284</span> } <span class="ln">285</span> else <span class="ln">286</span> throw new CHttpException(404,Yii::t('yii','Unable to resolve the request "{route}".', <span class="ln">287</span> array('{route}'=>$route===''?$this->defaultController:$route))); </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #15 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/framework/web/CWebApplication.php(141): <strong>CWebApplication</strong>-><strong>runController</strong>("admin/export") </div> <div class="code"><pre><span class="ln">136</span> foreach(array_splice($this->catchAllRequest,1) as $name=>$value) <span class="ln">137</span> $_GET[$name]=$value; <span class="ln">138</span> } <span class="ln">139</span> else <span class="ln">140</span> $route=$this->getUrlManager()->parseUrl($this->getRequest()); <span class="error"><span class="ln error-ln">141</span> $this->runController($route); </span><span class="ln">142</span> } <span class="ln">143</span> <span class="ln">144</span> /** <span class="ln">145</span> * Registers the core application components. <span class="ln">146</span> * This method overrides the parent implementation by registering additional core components. </pre></div> </td> </tr> <tr class="trace core collapsed"> <td class="number"> #16 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/framework/base/CApplication.php(184): <strong>CWebApplication</strong>-><strong>processRequest</strong>() </div> <div class="code"><pre><span class="ln">179</span> public function run() <span class="ln">180</span> { <span class="ln">181</span> if($this->hasEventHandler('onBeginRequest')) <span class="ln">182</span> $this->onBeginRequest(new CEvent($this)); <span class="ln">183</span> register_shutdown_function(array($this,'end'),0,false); <span class="error"><span class="ln error-ln">184</span> $this->processRequest(); </span><span class="ln">185</span> if($this->hasEventHandler('onEndRequest')) <span class="ln">186</span> $this->onEndRequest(new CEvent($this)); <span class="ln">187</span> } <span class="ln">188</span> <span class="ln">189</span> /** </pre></div> </td> </tr> <tr class="trace app collapsed"> <td class="number"> #17 </td> <td class="content"> <div class="trace-file"> <div class="plus">+</div> <div class="minus">–</div>  /var/www/restricted/survey/index.php(211): <strong>CApplication</strong>-><strong>run</strong>() </div> <div class="code"><pre><span class="ln">206</span> die (sprintf('%s should be writable by the webserver (766 or 776).', $runtimePath)); <span class="ln">207</span> } <span class="ln">208</span> } <span class="ln">209</span> <span class="ln">210</span> Yii::$enableIncludePath = false; <span class="error"><span class="ln error-ln">211</span> Yii::createApplication('LSYii_Application', $config)->run(); </span><span class="ln">212</span> <span class="ln">213</span> /* End of file index.php / <span class="ln">214</span> / Location: ./index.php / </pre></div> </td> </tr> </table> </div> <div class="version"> 2017-03-07 18:12:02 Apache <a href="http://www.yiiframework.com/">Yii Framework</a>/1.1.16 </div> </div> <script type="text/javascript"> /<![CDATA[/ var traceReg = new RegExp("(^\|\\s)trace-file(\\s\|$)"); var collapsedReg = new RegExp("(^\|\\s)collapsed(\\s\|$)"); var e = document.getElementsByTagName("div"); for(var j=0,len=e.length;j<len;j++){ if(traceReg.test(e[j].className)){ e[j].onclick = function(){ var trace = this.parentNode.parentNode; if(collapsedReg.test(trace.className)) trace.className = trace.className.replace("collapsed", "expanded"); else trace.className = trace.className.replace("expanded", "collapsed"); } } } /]]>*/ </script> </body> </html> PHP warning.html (26,033 bytes)

Bug heat	2
Complete LimeSurvey version number (& build)	2.64.0
I will donate to the project if issue is resolved	No
Browser	n
Database type & version	not relevant
Server OS (if known)	linux (?)
Webserver software & version (if known)	apache
PHP Version	php ?

User List	There are no users monitoring this issue.

Date Modified	Username	Field	Change
2017-03-07 19:19	DenisChenu	New Issue
2017-03-07 19:19	DenisChenu	File Added: PHP warning.html
2017-03-07 19:19	DenisChenu	Assigned To	=> DenisChenu
2017-03-07 19:19	DenisChenu	Status	new => assigned
2017-03-07 23:41	DenisChenu	Relationship added	duplicate of 11285
2017-03-07 23:41	DenisChenu	Status	assigned => closed
2017-03-07 23:41	DenisChenu	Resolution	open => duplicate
2017-03-07 23:41	DenisChenu	Note Added: 43202

View Issue Details

Relationships

Users monitoring this issue

Activities

Issue History

DenisChenu 2017-03-07 23:41 developer ~43202	Seems i didn't update to last master :/