mahara-contributors team mailing list archive

Thread
Date

[Bug 547289] Re: Downloads can be denied when dataroot specified in certain ways

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: François Marier <francois@xxxxxxxxxx>
Date: Tue, 06 Apr 2010 03:41:28 -0000
Reply-to: Bug 547289 <547289@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: mahara
    Milestone: None => 1.1.8

-- 
Downloads can be denied when dataroot specified in certain ways
https://bugs.launchpad.net/bugs/547289
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.

Status in Mahara ePortfolio: Fix Released

Bug description:
A very confusing problem as uploads work fine and files are written to disk OK, apparently:

http://mahara.org/interaction/forum/topic.php?id=527#post3684

(and the post after it)

I'm not sure exactly what is wrong there, but if the dataroot is set up in such a way that files can't be downloaded, we _must_ let the administrator know somehow - maybe with a ConfigSanityException in ensure_sanity. Otherwise, we should add some more smarts to make sure the matching is sensible. It's probably here that is failing:

lib/file.php: serve_file

    if (!get_config('insecuredataroot') && substr($path, 0, strlen($dataroot)) != $dataroot) {
        throw new AccessDeniedException();
    }


Perhaps $dataroot and the substr bit need wrapping in realpath()? In any event, the AccessDeniedException needs to have an argument to say what is wrong, calling it with no parameters is wrong.

This bug was imported from eduforge.org, see:
https://eduforge.org/tracker/index.php?func=detail&aid=3324&group_id=176&atid=739