You are not logged in.
Pages: 1
Hello,
When you try to put the marketplace directory outside of the GLPI_ROOT directory,
notably for hardened security, there is a problem in the generation of the front URL,
with no cleaning of the marketplace's parent directory in the plugin path.
Here is a quick fix proposal that should be reviewed and improved.
--- glpi/inc/plugin.class.php-dist 2021-04-13 14:06:46.000000000 +0200
+++ glpi/inc/plugin.class.php 2021-05-09 22:21:29.611040798 +0200
@@ -2469,6 +2469,7 @@
if (!$full) {
$directory = str_replace(GLPI_ROOT, "", $directory);
+ $directory = str_replace(GLPI_MARKETPLACE_DIR, "/marketplace", $directory);
}
return str_replace('\\', '/', $directory);
Offline
Well, It's a dead issue, because all plugins contain an include instruction like this : include ('../../../inc/includes.php')
With this backward call, if you try to put the Marketplace outside of the GLPI_ROOT you will miss the real system path of the includes.php file.
The crystal clear conclusion is you can't move the Marketplace outside of the GLPI_ROOT because it should also be revamp on the plugins side.
Offline
I bypass this issue with a systemd mount bind to put the marketplace directory outside of the tree code,
in /var/lib/glpi/marketplace which seems a better place for writable access.
ligenix# cat usr-share-glpi-marketplace.mount
[Unit]
Description=GLPI Marketplace Protect Directory
Documentation=http /www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Before=local-fs.target
[Mount]
Where=/usr/share/glpi/marketplace
What=/var/lib/glpi/marketplace
Type=none
Options=defaults,bind
[Install]
WantedBy=local-fs.target
Offline
Hello,
When you try to put the marketplace directory outside of the GLPI_ROOT directory,
notably for hardened security, there is a problem in the generation of the front URL,
with no cleaning of the marketplace's parent directory in the plugin path.Here is a quick fix proposal that should be reviewed and improved.
--- glpi/inc/plugin.class.php-dist 2021-04-13 14:06:46.000000000 +0200
+++ glpi/inc/plugin.class.php 2021-05-09 22:21:29.611040798 +0200
@@ -2469,6 +2469,7 @@if (!$full) {
$directory = str_replace(GLPI_ROOT, "", $directory);
+ $directory = str_replace(GLPI_MARKETPLACE_DIR, "/marketplace", $directory);
}return str_replace('\\', '/', $directory);
Hi,
what do you expect if you move the directory? Where is the security "hardened"?
Offline
Hi,
Well, you put static and system controled code in /usr/share/glpi, owned by root without write access, and volatile web interacted code in /var/lib/glpi, owned by apache or nginx with little write access. It's a simple and efficient way to enhanced security by design. That said, your question doesn't give an answer to the bug I found.
Offline
Hi,
Well, you put static and system controled code in /usr/share/glpi, owned by root without write access, and volatile web interacted code in /var/lib/glpi, owned by apache or nginx with little write access. It's a simple and efficient way to enhanced security by design. That said, your question doesn't give an answer to the bug I found.
I didn't answer because for me it's no bug, it's by design. And if the design is bad you have to look at the complete software, not only your small snippet of code.... . Maybe it make sense to discuss this bad deisgn with a report: https://github.com/glpi-project/glpi.
Offline
Firstly, it's a really a bug as you can't use the GLPI_MARKETPLACE_DIR constant as it should be.
This has already been reported here: https /github.com/glpi-project/glpi/issues/9074
But yes it's also design problem, introduced by this new markeplace approach, that I have no time to solve myself.
Second, if you read carefuly my others posts I proposed a working systemd mount bind solution that is more than a small snippet of code.
You can find more of my contributions here: https /forum.glpi-project.org/viewtopic.php?id=279043
Regards
Offline
Pages: 1