View Issue Details

IDProjectCategoryView StatusLast Update
16613Bug reportsPluginspublic2020-09-17 17:04
ReporterDietrich Streifert Assigned Toeddylackmann  
PrioritynormalSeverityminor 
Status feedbackResolutionopen 
Product Version4.3.10 
Summary16613: plugin manager ommits installation of files in path upload/plugins/limeMpdf/views/subview/svg when installing limeMpdf
Description

I've installed the limeMpdf plugin from https://gitlab.com/SondagesPro/coreAndTools/limeMpdf and used the test links offered in Plugin Manager present for the limeMpdf plugins settings tab.

The tests do not work because files contained in the Installation zip file are not copied over in the target path upload/plugins/limeMpdf/views/subview/svg

Manually installing those files from the zip resolved the problem.

Steps To Reproduce

Download the limeMpdf plugin installation file from https://dl.sondages.pro/limeMpdf.zip
Install it with the LimeSurvey Plugin manager found under "Configuration" -> "Settings" -> "Plugin manager" and there the button "Install ZIP".
After installation find the plugin "llimePDF" in the plugin list and click on that line to open the "Settings" tab of the plugin.
Click on one of the displayed demonstration links
See the error message "Server Error 500"

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 4.3.10+200812
I will donate to the project if issue is resolvedNo
Browser
Database & DB-Versionirrelevant
Server OS (if known)
Webserver software & version (if known)
PHP Version7.3

Activities

Dietrich Streifert

Dietrich Streifert

2020-08-24 12:50

reporter   ~59587

See issue SondagesPro issue https://gitlab.com/SondagesPro/coreAndTools/limeMpdf/-/issues/3

eddylackmann

eddylackmann

2020-09-10 11:18

developer   ~59767

Hi ,

In LS4 Uploading SVG Files are restricted for security reasons .They files will be deleted after unzip. So the Plugin developper should replace the svg files (Even if the are integrated in a twig file) with png or jpeg files. But you have the possibility to upload it manually (At your own risk) to your own host.

DenisChenu

DenisChenu

2020-09-15 16:42

developer   ~59829

Last edited: 2020-09-15 16:43

View 2 revisions

@eddylackmann : it's Plugins upload, not template upload …

plugins upload alrteady allow PHP files …

And here : it's twig file with svg content …

DenisChenu

DenisChenu

2020-09-15 16:43

developer   ~59830

I check : but bthhink rename .svg.twig to _svg.twig can work …

DenisChenu

DenisChenu

2020-09-17 16:07

developer   ~59862

@eddylackmann : i confirm : same file renamed with .svg.twig : it's OK.

  1. Any file with .svg inside : deleted : this is a bad control …
  2. You can not allow php file but disallow svg
DenisChenu

DenisChenu

2020-09-17 16:10

developer   ~59863

In LS4 Uploading SVG Files are restricted for security reasons .

You can not allow PHP (and js) file but not svg

They files will be deleted after unzip.

It's false here : any file contain .svg in name seems deleted (i can create a sample plugin)

But you have the possibility to upload it manually (At your own risk) to your own host.

We already show an alert about plugin : plugin contain PHP file . More risk than a XSS here …

DenisChenu

DenisChenu

2020-09-17 17:03

developer   ~59864

svgPlugin.zip (1,571 bytes)
DenisChenu

DenisChenu

2020-09-17 17:04

developer   ~59865

    public function beforeActivate()
    {
        $checkFile = is_file("checkexist.svg.txt");
        if(!$checkFile) {
            $this->getEvent()->set("success",false);
            $this->getEvent()->set("message","The file didn't exist");
        }
    }

Issue History

Date Modified Username Field Change
2020-08-24 12:42 Dietrich Streifert New Issue
2020-08-24 12:50 Dietrich Streifert Note Added: 59587
2020-08-26 15:29 cdorin Assigned To => eddylackmann
2020-08-26 15:29 cdorin Priority none => normal
2020-08-26 15:29 cdorin Status new => confirmed
2020-09-10 11:18 eddylackmann Note Added: 59767
2020-09-10 11:18 eddylackmann Status confirmed => acknowledged
2020-09-15 16:42 DenisChenu Note Added: 59829
2020-09-15 16:43 DenisChenu Note Edited: 59829 View Revisions
2020-09-15 16:43 DenisChenu Note Added: 59830
2020-09-17 16:07 DenisChenu Note Added: 59862
2020-09-17 16:07 DenisChenu Status acknowledged => feedback
2020-09-17 16:10 DenisChenu Note Added: 59863
2020-09-17 17:03 DenisChenu Note Added: 59864
2020-09-17 17:03 DenisChenu File Added: svgPlugin.zip
2020-09-17 17:04 DenisChenu Note Added: 59865
2020-09-17 17:04 DenisChenu File Added: Capture d’écran du 2020-09-17 17-04-02.png