View Issue Details

IDProjectCategoryView StatusLast Update
0021584mantisbtcustomizationpublic2020-05-17 09:55
Reporteratrol Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0021584: core_path directory can't be moved outside the web root
Description

After a fresh install running admin/check.php gives WARN for check:
core_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the core_path directory outside the web root.

Moving the directory outside the web root does not work as there is a hardcoded path in core.php
require_once( dirname( FILE ) . DIRECTORY_SEPARATOR . 'core' . DIRECTORY_SEPARATOR . 'constant_inc.php' );

constant_inc.php has been moved to core folder in 2003, see commit 5cad7a7e23fba2a51a369a764daf33aeee232ddd
At first sight it seems that $g_core_path can't be changed since that time.

TagsNo tags attached.

Activities

darkwind

darkwind

2017-12-07 11:11

reporter   ~0058351

This problem occurs because when core.php is loaded the config file has not been read yet. So if you set $g_core_path in /config/config_inc.php the variable is still not defined at that moment.

A work around is to move the whole core directory to an outside path. Then recreate the core folder and copy the file constant_inc.php to that newly created core folder from the outside path core folder. This will result in an empty core folder that only contains constant_inc.php.

You can also move the config folder to the outside location. And then you have to still keep the config folder and /config/config_inc.php. But you can edit that new config and change its content to only the paths and the include_once( $g_config_path . 'config_inc.php' ).

Here is the snippet:
<?php
$g_config_path = '/opt/mantisbt_outside/config/';
$g_core_path = '/opt/mantisbt_outside/core/';
$g_class_path = '/opt/mantisbt_outside/core/classes/';
$g_library_path = '/opt/mantisbt_outside/library/';
$g_language_path = '/opt/mantisbt_outside/lang/';

include_once( $g_config_path . 'config_inc.php' );

Hope this helps anybody who had the same problem.

lxfo6njcyc6ze24kp1h9

lxfo6njcyc6ze24kp1h9

2018-02-11 15:16

reporter   ~0058831

I tried this with 2.11.1 but when I tried to go to the login page, I get a blank. only when I put the config back in the mantisbt root directory does this work. This also happens when i move the core as well. Please advise as to what I could be doing wrong.

123

123

2018-05-15 04:58

reporter   ~0059791

Note the variable $ t_local_config = getenv ('MANTIS_CONFIG_FOLDER') in config_defaults_inc.php

It extracts the path to your "config" folder from the environment variable of your web server.
Add the following line to your web server's configuration file:
SetEnv MANTIS_CONFIG_FOLDER /path to your config folder/

123

123

2018-05-15 05:17

reporter   ~0059792

Indeed, there is a problem. Sorry...

amphetamine

amphetamine

2020-05-05 01:44

reporter   ~0063957

still there in 2.24.1

lega4

lega4

2020-05-17 08:57

reporter   ~0063995

Last edited: 2020-05-17 09:31

View 3 revisions

Even if one updates the variables to point to the outside, apparently path to "core" folder is hardcoded at https://github.com/mantisbt/mantisbt/blob/master/core.php#L67, so it makes no sense to copy core folder outside of webroot.

Update: found several more hardcoded paths:

=> so those checks don't make any sense now, there is no way to fix them. Please remove them until it's possible to make them green without dirty hacks.

Issue History

Date Modified Username Field Change
2016-08-02 14:15 atrol New Issue
2017-12-07 11:11 darkwind Note Added: 0058351
2018-02-11 15:16 lxfo6njcyc6ze24kp1h9 Note Added: 0058831
2018-05-15 04:58 123 Note Added: 0059791
2018-05-15 05:17 123 Note Added: 0059792
2020-05-05 01:44 amphetamine Note Added: 0063957
2020-05-17 08:57 lega4 Note Added: 0063995
2020-05-17 09:31 lega4 Note Edited: 0063995 View Revisions
2020-05-17 09:31 lega4 Note Edited: 0063995 View Revisions