0035082: Allow plugin_file_path() to return the files directory and use the current plugin by default - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0035082	mantisbt	plug-ins	public	2024-12-04 10:56	2024-12-06 11:55

Reporter	raspopov	Assigned To	community
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	2.27.0
Target Version	2.28.0	Fixed in Version	2.28.0

Summary	0035082: Allow plugin_file_path() to return the files directory and use the current plugin by default
Description	I would like to request permission to slightly modify the plugin_file_path($p_filename, $p_base_name) function so that it is easy to get the path name to the ‘files’ directory from the plugin. If $p_filename = null - the ‘files’ directory will be returned instead of the file (without checking), If $p_base_name = null - the current plugin name will be used. This is important for plugins that would want to use their ‘files’ dynamically. The current behavior of the function is not affected in any way.
Tags	No tags attached.

raspopov 2024-12-04 10:57 reporter ~0069536 Last edited: 2024-12-04 10:57	PR: 2054.

dregad 2024-12-04 13:06 developer ~0069537	I'm OK with the proposed change. It would be interesting to have some context about the actual usage you're planning for this, can you link your plugin's code ?

raspopov 2024-12-04 14:29 reporter ~0069538	I was working on updating the same MantisLdapAvatar plugin and found that the plugin saves files to its ‘files’ directory (actually it could be any directory) to be uploaded to the browser, and generates the URL of such upload using core.... passing inside it only the filename without the path! But how core understands where to find the file?! It turns out that core itself combines the path to the file as the plugin name and the string ‘/files/’. I.e. everything worked only due to a lucky chance that in plugin path to files was literally inside ‘files’... So I decided to do the opposite - ask core to tell me where the plugin's ‘files’ are, and remove the path selection option in the plugin itself as unsupported.

dregad 2024-12-04 19:33 developer ~0069541	the plugin saves files to its ‘files’ directory It does not sound like a good idea to store files in the plugin's or MantisBT's code structure - that's a recipe for disaster if you ask me. I would recommend to use another directory outside of the MantisBT root.

raspopov 2024-12-04 22:33 reporter ~0069543	that's a recipe for disaster Can you tell me more about it, please? Many dynamic content systems create caches within their main directory accessible by direct URL, e.g. file wikis, forums, ad-systems, etc. I also saw a recommendation in the MantisBT checks section that the MantisBT root directory should not be inside the web server directory, which is also a rather obscure recommendation. Especially given the very flexible configuration options for virtual servers, aliases and file system symbolic links.

dregad 2024-12-05 03:19 developer ~0069545	Just security best practice. Allowing uncontrolled 3rd party files in your web root may allow attackers to inject files that may later be executed on your server.

raspopov 2024-12-05 10:33 reporter ~0069546	Normally write access to files is denied to the entire web server. In our case the administrator will have to manually allow writing to the ‘files’ directory, a corresponding check is added and will be performed when installing the plugin.

dregad 2024-12-06 11:55 developer ~0069558	Many thanks @raspopov for your contribution !

MantisBT: master 44d3fecc 2024-12-06 11:51 raspopov Committer: community Details Diff	Improve plugin_file_path() function - Automatically detect the current plugin when $p_base_name = '' - Return the path to the plugin's "files" directory when $p_filename = '' This will allow plugins to dynamically provide files from their 'files' directory. Currently, the directory is hard-coded but not easily accessible. Fixes 0035082, PR https://github.com/mantisbt/mantisbt/pull/2054 Signed-off-by: Damien Regad <dregad@mantisbt.org>		Affected Issues 0035082
	mod - core/plugin_api.php		Diff File
	mod - docbook/Developers_Guide/en-US/Plugins_Building.xml		Diff File