You are not logged in.

Announcement

 Téléchargez la dernière version stable de GLPI      -     Et vous, que pouvez vous faire pour le projet GLPI ? :  Contribuer
 Download last stable version of GLPI                      -     What can you do for GLPI ? :  Contribute

Pages: 1

#1 2021-05-11 10:23:22

ligenix
Member
Registered: 2021-04-13
Posts: 57

Marketplace bug

Hello,

When you try to put the marketplace directory outside of the GLPI_ROOT directory,
notably for hardened security, there is a problem in the generation of the front URL,
with no cleaning of the marketplace's parent directory in the plugin path.

Here is a quick fix proposal that should be reviewed and improved.


--- glpi/inc/plugin.class.php-dist   2021-04-13 14:06:46.000000000 +0200
+++ glpi/inc/plugin.class.php        2021-05-09 22:21:29.611040798 +0200
@@ -2469,6 +2469,7 @@

       if (!$full) {
          $directory = str_replace(GLPI_ROOT, "", $directory);
+         $directory = str_replace(GLPI_MARKETPLACE_DIR, "/marketplace", $directory);
       }

       return str_replace('\\', '/', $directory);

Offline

#2 2021-05-13 15:55:45

ligenix
Member
Registered: 2021-04-13
Posts: 57

Re: Marketplace bug

Well, It's a dead issue, because all plugins contain an include instruction like this : include ('../../../inc/includes.php')

With this backward call, if you try to put the Marketplace outside of the GLPI_ROOT you will miss the real system path of the includes.php file.

The crystal clear conclusion is you can't move the Marketplace outside of the GLPI_ROOT because it should also be revamp on the plugins side.

Offline

#3 2021-05-14 09:59:41

ligenix
Member
Registered: 2021-04-13
Posts: 57

Re: Marketplace bug

I bypass this issue with a systemd mount bind to put the marketplace directory outside of the tree code,
in /var/lib/glpi/marketplace which seems a better place for writable access.


ligenix# cat usr-share-glpi-marketplace.mount

[Unit]
Description=GLPI Marketplace Protect Directory
Documentation=http hmm/www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Before=local-fs.target

[Mount]
Where=/usr/share/glpi/marketplace
What=/var/lib/glpi/marketplace
Type=none
Options=defaults,bind

[Install]
WantedBy=local-fs.target

Offline

#4 2021-11-03 17:51:00

doesntMatter
Member
Registered: 2016-07-06
Posts: 106

Re: Marketplace bug

ligenix wrote:

Hello,

When you try to put the marketplace directory outside of the GLPI_ROOT directory,
notably for hardened security, there is a problem in the generation of the front URL,
with no cleaning of the marketplace's parent directory in the plugin path.

Here is a quick fix proposal that should be reviewed and improved.


--- glpi/inc/plugin.class.php-dist   2021-04-13 14:06:46.000000000 +0200
+++ glpi/inc/plugin.class.php        2021-05-09 22:21:29.611040798 +0200
@@ -2469,6 +2469,7 @@

       if (!$full) {
          $directory = str_replace(GLPI_ROOT, "", $directory);
+         $directory = str_replace(GLPI_MARKETPLACE_DIR, "/marketplace", $directory);
       }

       return str_replace('\\', '/', $directory);

Hi,
what do you expect if you move the directory? Where is the security "hardened"?

Offline

#5 2021-11-05 11:58:49

ligenix
Member
Registered: 2021-04-13
Posts: 57

Re: Marketplace bug

Hi,

Well, you put static and system controled code in /usr/share/glpi, owned by root without write access, and volatile web interacted code in /var/lib/glpi, owned by apache or nginx with little write access. It's a simple and efficient way to enhanced security by design. That said, your question doesn't give an answer to the bug I found.

Offline

#6 2021-11-05 13:10:22

doesntMatter
Member
Registered: 2016-07-06
Posts: 106

Re: Marketplace bug

ligenix wrote:

Hi,

Well, you put static and system controled code in /usr/share/glpi, owned by root without write access, and volatile web interacted code in /var/lib/glpi, owned by apache or nginx with little write access. It's a simple and efficient way to enhanced security by design. That said, your question doesn't give an answer to the bug I found.

I didn't answer because for me it's no bug, it's by design. And if the design is bad you have to look at the complete software, not only your small snippet of code.... . Maybe it make sense to discuss this bad deisgn with a report: https://github.com/glpi-project/glpi.

Offline

#7 2021-11-05 13:50:52

ligenix
Member
Registered: 2021-04-13
Posts: 57

Re: Marketplace bug

Firstly, it's a really a bug as you can't use the GLPI_MARKETPLACE_DIR constant as it should be.
This has already been reported here: https hmm/github.com/glpi-project/glpi/issues/9074

But yes it's also design problem, introduced by this new markeplace approach, that I have no time to solve myself.

Second, if you read carefuly my others posts I proposed a working systemd mount bind solution that is more than a small snippet of code.
You can find more of my contributions here: https hmm/forum.glpi-project.org/viewtopic.php?id=279043

Regards

Offline

Pages: 1

Board footer

Powered by FluxBB