0021584: core_path directory can't be moved outside the web root - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0021584	mantisbt	customization	public	2016-08-02 14:15	2024-10-13 19:04

Reporter	atrol	Assigned To
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	confirmed	Resolution	open

Summary	0021584: core_path directory can't be moved outside the web root
Description	After a fresh install running admin/check.php gives WARN for check: core_path configuration option is set to a path outside the web root For increased security it is recommended that you move the core_path directory outside the web root. Moving the directory outside the web root does not work as there is a hardcoded path in core.php `require_once( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'core' . DIRECTORY_SEPARATOR . 'constant_inc.php' );` constant_inc.php has been moved to core folder in 2003 (release 0.18a1), see commit MantisBT master 5cad7a7e At first sight it seems that $g_core_path can't be changed since that time.
Tags	No tags attached.

darkwind 2017-12-07 11:11 reporter ~0058351	This problem occurs because when core.php is loaded the config file has not been read yet. So if you set $g_core_path in /config/config_inc.php the variable is still not defined at that moment. A work around is to move the whole core directory to an outside path. Then recreate the core folder and copy the file constant_inc.php to that newly created core folder from the outside path core folder. This will result in an empty core folder that only contains constant_inc.php. You can also move the config folder to the outside location. And then you have to still keep the config folder and /config/config_inc.php. But you can edit that new config and change its content to only the paths and the include_once( $g_config_path . 'config_inc.php' ). Here is the snippet: <?php $g_config_path = '/opt/mantisbt_outside/config/'; $g_core_path = '/opt/mantisbt_outside/core/'; $g_class_path = '/opt/mantisbt_outside/core/classes/'; $g_library_path = '/opt/mantisbt_outside/library/'; $g_language_path = '/opt/mantisbt_outside/lang/'; include_once( $g_config_path . 'config_inc.php' ); Hope this helps anybody who had the same problem.

lxfo6njcyc6ze24kp1h9 2018-02-11 15:16 reporter ~0058831	I tried this with 2.11.1 but when I tried to go to the login page, I get a blank. only when I put the config back in the mantisbt root directory does this work. This also happens when i move the core as well. Please advise as to what I could be doing wrong.

123 2018-05-15 04:58 reporter ~0059791	Note the variable $ t_local_config = getenv ('MANTIS_CONFIG_FOLDER') in config_defaults_inc.php It extracts the path to your "config" folder from the environment variable of your web server. Add the following line to your web server's configuration file: SetEnv MANTIS_CONFIG_FOLDER /path to your config folder/

123 2018-05-15 05:17 reporter ~0059792	Indeed, there is a problem. Sorry...

amphetamine 2020-05-05 01:44 reporter ~0063957	still there in 2.24.1

lega4 2020-05-17 08:57 reporter ~0063995 Last edited: 2020-05-17 09:31	Even if one updates the variables to point to the outside, apparently path to "core" folder is hardcoded at https://github.com/mantisbt/mantisbt/blob/master/core.php#L67, so it makes no sense to copy core folder outside of webroot. Update: found several more hardcoded paths: https://github.com/mantisbt/mantisbt/blob/master/core/commands/IssueAddCommand.php#L36 Lang check in admin checks => so those checks don't make any sense now, there is no way to fix them. Please remove them until it's possible to make them green without dirty hacks.

rogueresearch 2020-07-22 14:06 reporter ~0064176	I've just run into this too updating to 2.24.1. (Also I don't recall this warning in previous versions.)

rogueresearch 2021-06-21 16:48 reporter ~0065641	Just as a datapoint: I installed a fresh 2.25.2 on a fresh server and saw this again.