View Issue Details

IDProjectCategoryView StatusLast Update
0021584mantisbtcustomizationpublic2021-06-21 16:48
Reporteratrol Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0021584: core_path directory can't be moved outside the web root
Description

After a fresh install running admin/check.php gives WARN for check:
core_path configuration option is set to a path outside the web root
For increased security it is recommended that you move the core_path directory outside the web root.

Moving the directory outside the web root does not work as there is a hardcoded path in core.php
require_once( dirname( FILE ) . DIRECTORY_SEPARATOR . 'core' . DIRECTORY_SEPARATOR . 'constant_inc.php' );

constant_inc.php has been moved to core folder in 2003, see commit 5cad7a7e23fba2a51a369a764daf33aeee232ddd
At first sight it seems that $g_core_path can't be changed since that time.

TagsNo tags attached.

Relationships

has duplicate 0028333 closedatrol Cannot move core folder outside the mantis webroot 

Activities

darkwind

darkwind

2017-12-07 11:11

reporter   ~0058351

This problem occurs because when core.php is loaded the config file has not been read yet. So if you set $g_core_path in /config/config_inc.php the variable is still not defined at that moment.

A work around is to move the whole core directory to an outside path. Then recreate the core folder and copy the file constant_inc.php to that newly created core folder from the outside path core folder. This will result in an empty core folder that only contains constant_inc.php.

You can also move the config folder to the outside location. And then you have to still keep the config folder and /config/config_inc.php. But you can edit that new config and change its content to only the paths and the include_once( $g_config_path . 'config_inc.php' ).

Here is the snippet:
<?php
$g_config_path = '/opt/mantisbt_outside/config/';
$g_core_path = '/opt/mantisbt_outside/core/';
$g_class_path = '/opt/mantisbt_outside/core/classes/';
$g_library_path = '/opt/mantisbt_outside/library/';
$g_language_path = '/opt/mantisbt_outside/lang/';

include_once( $g_config_path . 'config_inc.php' );

Hope this helps anybody who had the same problem.

lxfo6njcyc6ze24kp1h9

lxfo6njcyc6ze24kp1h9

2018-02-11 15:16

reporter   ~0058831

I tried this with 2.11.1 but when I tried to go to the login page, I get a blank. only when I put the config back in the mantisbt root directory does this work. This also happens when i move the core as well. Please advise as to what I could be doing wrong.

123

123

2018-05-15 04:58

reporter   ~0059791

Note the variable $ t_local_config = getenv ('MANTIS_CONFIG_FOLDER') in config_defaults_inc.php

It extracts the path to your "config" folder from the environment variable of your web server.
Add the following line to your web server's configuration file:
SetEnv MANTIS_CONFIG_FOLDER /path to your config folder/

123

123

2018-05-15 05:17

reporter   ~0059792

Indeed, there is a problem. Sorry...

amphetamine

amphetamine

2020-05-05 01:44

reporter   ~0063957

still there in 2.24.1

lega4

lega4

2020-05-17 08:57

reporter   ~0063995

Last edited: 2020-05-17 09:31

Even if one updates the variables to point to the outside, apparently path to "core" folder is hardcoded at https://github.com/mantisbt/mantisbt/blob/master/core.php#L67, so it makes no sense to copy core folder outside of webroot.

Update: found several more hardcoded paths:

=> so those checks don't make any sense now, there is no way to fix them. Please remove them until it's possible to make them green without dirty hacks.

rogueresearch

rogueresearch

2020-07-22 14:06

reporter   ~0064176

I've just run into this too updating to 2.24.1. (Also I don't recall this warning in previous versions.)

rogueresearch

rogueresearch

2021-06-21 16:48

reporter   ~0065641

Just as a datapoint: I installed a fresh 2.25.2 on a fresh server and saw this again.