View Issue Details

IDProjectCategoryView StatusLast Update
0021584mantisbtcustomizationpublic2021-04-21 14:49
Reporteratrol Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0021584: core_path directory can't be moved outside the web root

After a fresh install running admin/check.php gives WARN for check:
core_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the core_path directory outside the web root.

Moving the directory outside the web root does not work as there is a hardcoded path in core.php
require_once( dirname( FILE ) . DIRECTORY_SEPARATOR . 'core' . DIRECTORY_SEPARATOR . 'constant_inc.php' );

constant_inc.php has been moved to core folder in 2003, see commit 5cad7a7e23fba2a51a369a764daf33aeee232ddd
At first sight it seems that $g_core_path can't be changed since that time.

TagsNo tags attached.


has duplicate 0028333 closedatrol Cannot move core folder outside the mantis webroot 




2017-12-07 11:11

reporter   ~0058351

This problem occurs because when core.php is loaded the config file has not been read yet. So if you set $g_core_path in /config/config_inc.php the variable is still not defined at that moment.

A work around is to move the whole core directory to an outside path. Then recreate the core folder and copy the file constant_inc.php to that newly created core folder from the outside path core folder. This will result in an empty core folder that only contains constant_inc.php.

You can also move the config folder to the outside location. And then you have to still keep the config folder and /config/config_inc.php. But you can edit that new config and change its content to only the paths and the include_once( $g_config_path . 'config_inc.php' ).

Here is the snippet:
$g_config_path = '/opt/mantisbt_outside/config/';
$g_core_path = '/opt/mantisbt_outside/core/';
$g_class_path = '/opt/mantisbt_outside/core/classes/';
$g_library_path = '/opt/mantisbt_outside/library/';
$g_language_path = '/opt/mantisbt_outside/lang/';

include_once( $g_config_path . 'config_inc.php' );

Hope this helps anybody who had the same problem.



2018-02-11 15:16

reporter   ~0058831

I tried this with 2.11.1 but when I tried to go to the login page, I get a blank. only when I put the config back in the mantisbt root directory does this work. This also happens when i move the core as well. Please advise as to what I could be doing wrong.



2018-05-15 04:58

reporter   ~0059791

Note the variable $ t_local_config = getenv ('MANTIS_CONFIG_FOLDER') in config_defaults_inc.php

It extracts the path to your "config" folder from the environment variable of your web server.
Add the following line to your web server's configuration file:
SetEnv MANTIS_CONFIG_FOLDER /path to your config folder/



2018-05-15 05:17

reporter   ~0059792

Indeed, there is a problem. Sorry...



2020-05-05 01:44

reporter   ~0063957

still there in 2.24.1



2020-05-17 08:57

reporter   ~0063995

Last edited: 2020-05-17 09:31

Even if one updates the variables to point to the outside, apparently path to "core" folder is hardcoded at, so it makes no sense to copy core folder outside of webroot.

Update: found several more hardcoded paths:

=> so those checks don't make any sense now, there is no way to fix them. Please remove them until it's possible to make them green without dirty hacks.



2020-07-22 14:06

reporter   ~0064176

I've just run into this too updating to 2.24.1. (Also I don't recall this warning in previous versions.)