0021584: core_path directory can't be moved outside the web root

ID	Project	Category	View Status	Date Submitted	Last Update
0021584	mantisbt	customization	public	2016-08-02 14:15	2026-02-17 03:15

Reporter	atrol	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	confirmed	Resolution	open

Summary	0021584: core_path directory can't be moved outside the web root
Description	After a fresh install running admin/check.php gives WARN for check: core_path configuration option is set to a path outside the web root For increased security it is recommended that you move the core_path directory outside the web root. Moving the directory outside the web root does not work as there is a hardcoded path in core.php `require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'core' . DIRECTORY_SEPARATOR . 'constant_inc.php' );` constant_inc.php has been moved to core folder in 2003 (release 0.18a1), see commit MantisBT master 5cad7a7e At first sight it seems that $g_core_path can't be changed since that time.
Tags	No tags attached.

darkwind 2017-12-07 11:11 reporter ~0058351	This problem occurs because when core.php is loaded the config file has not been read yet. So if you set $g_core_path in /config/config_inc.php the variable is still not defined at that moment. A work around is to move the whole core directory to an outside path. Then recreate the core folder and copy the file constant_inc.php to that newly created core folder from the outside path core folder. This will result in an empty core folder that only contains constant_inc.php. You can also move the config folder to the outside location. And then you have to still keep the config folder and /config/config_inc.php. But you can edit that new config and change its content to only the paths and the include_once( $g_config_path . 'config_inc.php' ). Here is the snippet: <?php $g_config_path = '/opt/mantisbt_outside/config/'; $g_core_path = '/opt/mantisbt_outside/core/'; $g_class_path = '/opt/mantisbt_outside/core/classes/'; $g_library_path = '/opt/mantisbt_outside/library/'; $g_language_path = '/opt/mantisbt_outside/lang/'; include_once( $g_config_path . 'config_inc.php' ); Hope this helps anybody who had the same problem.

lxfo6njcyc6ze24kp1h9 2018-02-11 15:16 reporter ~0058831	I tried this with 2.11.1 but when I tried to go to the login page, I get a blank. only when I put the config back in the mantisbt root directory does this work. This also happens when i move the core as well. Please advise as to what I could be doing wrong.

123 2018-05-15 04:58 reporter ~0059791	Note the variable $ t_local_config = getenv ('MANTIS_CONFIG_FOLDER') in config_defaults_inc.php It extracts the path to your "config" folder from the environment variable of your web server. Add the following line to your web server's configuration file: SetEnv MANTIS_CONFIG_FOLDER /path to your config folder/

123 2018-05-15 05:17 reporter ~0059792	Indeed, there is a problem. Sorry...

amphetamine 2020-05-05 01:44 reporter ~0063957	still there in 2.24.1

lega4 2020-05-17 08:57 reporter ~0063995 Last edited: 2020-05-17 09:31	Even if one updates the variables to point to the outside, apparently path to "core" folder is hardcoded at https://github.com/mantisbt/mantisbt/blob/master/core.php#L67, so it makes no sense to copy core folder outside of webroot. Update: found several more hardcoded paths: https://github.com/mantisbt/mantisbt/blob/master/core/commands/IssueAddCommand.php#L36 Lang check in admin checks => so those checks don't make any sense now, there is no way to fix them. Please remove them until it's possible to make them green without dirty hacks.

rogueresearch 2020-07-22 14:06 reporter ~0064176	I've just run into this too updating to 2.24.1. (Also I don't recall this warning in previous versions.)

rogueresearch 2021-06-21 16:48 reporter ~0065641	Just as a datapoint: I installed a fresh 2.25.2 on a fresh server and saw this again.

raspopov 2026-02-11 22:28 reporter ~0070786 Last edited: 2026-02-11 22:53	If you set the $g_core_path, $g_class_path, $g_library_path, and $g_language_path variables to their own unique paths and set the MANTIS_CONFIG_FOLDER environment variable to the path to the config_inc.php file, MantisBT will return a web server error: "500 Internal server error", and the PHP logs will show multiple errors. /core.php:69: `require_once( __DIR__ . '/core/constant_inc.php' );` The "/core" folder is located in a different location. Probably can be replaced with: `require_api( 'constant_inc.php' );` And will have to move the file: "/core/constant_inc.php" -> "/constant_inc.php". I don't see any other way out, because the `$g_core_path` variable can't be used in this place; it's loaded in the same file, but lower. /core/email_api.php:79: `require_once( __DIR__ . '/classes/EmailMessage.class.php' ); require_once( __DIR__ . '/classes/EmailSender.class.php' );` /core/email_api.php:1580: `require_once __DIR__ . '/classes/EmailSenderPhpMailer.class.php';` /classes/EmailSender.class.php:18: `require_once( __DIR__ . '/EmailMessage.class.php' );` /classes/EmailSenderPhpMailer.class.php:23: `require_once( __DIR__ . '/EmailSender.class.php' );` The "/classes" folder is no longer available. These lines can simply be removed, since the class autoloader is used anyway. /core/logging_api.php:325: `$t_root_path = dirname( __DIR__ ) . DIRECTORY_SEPARATOR; ... $t_root_path . 'plugin.php'` The "/core" folder is located in a different root folder. We probably need to use the `$g_core_path` variable here. /core/commands/IssueViewPageCommand.php:36: And 12 files next to it. The "/core" folder is not located next to "/api". `$t_api_path = dirname( __DIR__, 2 ) . '/api/soap/';` Replace with: `global $g_absolute_path; $t_soap_dir = $g_absolute_path . '/api/soap/';` /admin/check/check_paths_inc.php:73: MantisBT thinks that for example the "/mantisbt-config" folder is inside the "/mantisbt" folder. `$t_new_path['real_path'] = realpath( $t_new_path['config_value'] );` Needs to add "/" so avoid comparing of partial directory names: `$t_new_path['real_path'] = realpath( $t_new_path['config_value'] ) . DIRECTORY_SEPARATOR;`

dregad 2026-02-16 12:11 developer ~0070795	@raspopov will have to move the file: "/core/constant_inc.php" -> "/constant_inc.php". I could not find any written trace explaining why the file was moved from `/` to `/core` in the first place, I can only guess that it was to separate it from "user-facing" scripts. Anyway, not knowing the original reason, I am OK with your proposal to revert that change and put the constants back in root as I can't think of any issue this would cause. @atrol @vboctor any objections ? The "/classes" folder is no longer available. These lines can simply be removed, since the class autoloader is used anyway. I don't know what makes you say that, the directory is definitely still there... That being said, you're absolutely right that with the autoloader, these require statements are actually useless and should be removed. /core/commands/IssueViewPageCommand.php:36: And 12 files next to it. The "/core" folder is not located next to "/api". [...] Replace with: `global $g_absolute_path; $t_soap_dir = $g_absolute_path . '/api/soap/';` I believe this would fix 0024389. Needs to add "/" so avoid comparing of partial directory names: I don't understand why this would be needed. Can you clarify / explain what you mean ?

raspopov 2026-02-16 13:50 reporter ~0070796	I don't know what makes you say that, the directory is definitely still there... These statements are made on the assumption that the variable `$g_class_path` is set to a completely unique path (i.e. "/somewhere"), as are all other variables. I don't understand why this would be needed. Can you clarify / explain what you mean ? The string “/mantisbt” is a substring of “/mantisbt-config”, which causes the check to incorrectly report that the directory “/mantisbt” is inside the directory “/mantisbt-config”. Adding “/” will make the string “/mantisbt/” and it will no longer be a substring of “/mantisbt-config”.

dregad 2026-02-17 03:15 developer ~0070797	Thanks for the feedback, I get it now.

has duplicate	0028333	closed	atrol	Cannot move core folder outside the mantis webroot
has duplicate	0034846	closed	dregad	move core directory outside webroot not work
has duplicate	0036882	closed	atrol	Recommendations for safe installation paths for MantisBT are not possible
related to	0024389	resolved	dregad	Cannot create Issue when core path is out of MantisBT root

View Issue Details

Relationships

Activities

/core.php:69:

/core/email_api.php:79:

/core/email_api.php:1580:

/classes/EmailSender.class.php:18:

/classes/EmailSenderPhpMailer.class.php:23:

/core/logging_api.php:325:

/core/commands/IssueViewPageCommand.php:36:

/admin/check/check_paths_inc.php:73:

/core/commands/IssueViewPageCommand.php:36: