mantis 1.3: What about the warnings in /admin/check?

[UlfDunkel]

Now that I have successfully switched to mantis 1.3, I get some warnings which I wasn't aware of before:

Paths
core_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the core_path directory outside the web root.

class_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the class_path directory outside the web root.

library_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the library_path directory outside the web root.

config_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the config_path directory outside the web root.

language_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the language_path directory outside the web root.

Directory api should be removed from the MantisBT root if you do not plan on using SOAP

How can I fix these warnings?

The last warning makes me wonder. I have installed the PHP (7.0) SOAP extension and it is available as phpinfo() tells me. Did I forget to adjust something in mantis 1.3 to remove this warning?

[atrol]

Depending on your webserver settings your users might be allowed to access/execute the contents of the mentioned directories.

e.g., you don't want your users to access files like
http://<yourMantis>/lang/strings_german.txt
http://<yourMantis>/library/adodb/tohtml.inc.php

You should remove the api directory if you don't use any applications that uses the SOAP API.
Very simple security rule: Things that don't exist can't be used to attack your system.

[UlfDunkel]

Thank you for your quick reply, but it doesn't help me much.

When you check the warning texts, they are kind of irritating:

core_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the core_path directory outside the web root.

What is meant by core_path configuration option?
Shouldn't the whole warning be read as

core_path configuration option should be set to a path outside the web root

This is also indicated by the descriptive text which accompanies the warning.

When I check the links that you have given as an example, I always get the expected "403 Forbidden" message which you can easily try yourself: https://bugs.calamus.net/library/adodb/tohtml.inc.php

In a previous upgrade attempt from mantis 1.2.9 to mantis 1.3, I was warned that my PHP 7.0 installation was missing the SOAP extension - so I installed it. Is this another irritating warning because Mantis definitely does not require the SOAP extension? If so, then the warning is misleading and I really should remove the SOAP extension again.

Please check these issues. Any advice is really appreciated.

[UlfDunkel]

I now have moved the /core, /lang, and /library folders outside the web root and have adjusted the /config/config_inc.php accordlingy:

Code: Select all

$g_core_path     = '/<somewhereOutsideWebRoot>/share/MantisBT/core/';
$g_class_path    = '/<somewhereOutsideWebRoot>/share/MantisBT/core/classes/';
$g_library_path  = '/<somewhereOutsideWebRoot>/share/MantisBT/library/';
$g_language_path = '/<somewhereOutsideWebRoot>/share/MantisBT/lang/';

But I wonder if the same would be a good idea with $g_config_path, because I run several MantisBT installations for several domains on the same server. I guess I then would have to adjust more stuff in core.php in order to be able and use different config_inc.php files for the different installations.

Furthermore, moving the /core folder and adjusting $g_core_path doesn't affect line 71 in /core.php:

Code: Select all

# Load supplied constants
require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'core' . DIRECTORY_SEPARATOR . 'constant_inc.php' );

Any suggestions?

[atrol]

When you check the warning texts, they are kind of irritating:

This is no warning text, it's the description of what's being checked (e.g. "core_path configuration option is set to a path outside the web root"), additional information ("For increased security it is recommended that you move the core_path directory outside the web root.") and the result of the check ("WARN").

Furthermore, moving the /core folder and adjusting $g_core_path doesn't affect line 71 in /core.php:

Seems that no one moved the folder since quite a long time. The constant_inc.php has been moved to core folder in 2003
https://github.com/mantisbt/mantisbt/co ... aeee232ddd
I opened an issue for it https://www.mantisbt.org/bugs/view.php?id=21584

Concerning SOAP.
Mantis comes with SOAP API enabled out of the box, thus the SOAP extension is needed.
You can delete the api folder and disable the SOAP extension if you don't want to use the API.

[jconcept]

Furthermore, moving the /core folder and adjusting $g_core_path doesn't affect line 71 in /core.php:

And if i move config directory then displays the following error "External library '/var/www/html/soporte/library/utf8/utf8.php' not found."

I can not move neither core nor config directory, in both cases mantisbt doesn´t work

Can I fix this issues or is better wait for newer versions?