[#7129] - Rebased download system/environment information
- Closed
- 3 Nov 2015
- Medium
- Build: staging
- Easy Test
- # 7129
- Diff
- phproberto:radek-6021
- Success Human Test Results: 2 Successful 0 Failed. Details
User tests: Successful: Unsuccessful:
This is a rebased version of #6021 See description there
I have added suggestions by @roland-d and small code style fixes.
#6021
Implementing a possibility to download system/environment information for support purposes.
The output is a text file which is probably not the best solution. Hope for some input.
It adds a button in "administrator/index.php?option=com_admin&view=sysinfo" which allows to create a text file with all relevant settings.
All sensitive informations should have been removed.
@phproberto take a look at phproberto#1
joomla-cms-bot
- | Labels |
Added:
?
?
|
||
| Labels |
Added:
?
|
||
| Labels |
Added:
?
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-06-06 10:21:16 |
| Closed_By | ⇒ | phproberto |
| Status | Closed | ⇒ | New |
| Closed_Date | 2015-06-06 10:21:16 | ⇒ | |
| Closed_By | phproberto | ⇒ |
@test ok Thanks @Radek-Suski @phproberto
| Status | New | ⇒ | Pending |
| Rel_Number | 0 | ⇒ | 6021 |
| Relation Type | ⇒ | Related to | |
| Easy | No | ⇒ | Yes |
| Category | ⇒ | Administration Components |
| Labels |
Added:
?
|
||
| Labels |
Added:
?
|
||
| Milestone |
Added: |
||
@phproberto Should we be outputting the host paths in the PATH, SystemRoot, COMSPEC, WINDIR, error_log, extension_dir, include_path, upload_tmp_dir, and session.save_path variables?
@phproberto Should we be outputting the host paths in the PATH, SystemRoot, COMSPEC, WINDIR, error_log, extension_dir, include_path, upload_tmp_dir, and session.save_path variables?
@roland-d in my opinion anything that gets private info that may involve security issues should be skipped. I don't see issues with paths relative to system libs. Maybe Phil Taylor (I forgot his github username) can help us here. I'll ping him to see if he can check it.
- PATH. Already disabled
- SystemRoot. I need more info. Windows thing?
- WINDIR. I need more info. Windows thing?
- error_log. Already disabled
- extension_dir. Not dangerous IMO
- include_path. Not dangeour IMO
- upload_tmp_dir. Already disabled
- session.save_path. Already disabled
@PhilETaylor :-)
The %SystemRoot% variable is a special system-wide environment variable found on Windows NT and its derivatives. Its value is the location of the system directory, including the drive and path. E.g c:\windows\system32
The %WINDIR% is where windows is installed, E.g c:\windows
All of the information in your post is available to hackers with a single line of code anyway - so as long as the exporting of this information is restricted to Super Admins, authenticated and logged in, then its no more of a security risk while displaying the data on the site.
Those that argue otherwise, would probably be the people still recommending moving configuration.php outside the public_html folder - doh!
What is done with the information AFTER it is extracted is another matter - when its posted in open forum etc... thats when this becomes a "security" issue.
Knowing these paths for support purposes is not normally needed, what is more important is a check that the path actually exists, and is writable most of the time. One doesn't care where they are configured to point at, one cares if they are useable.
extension_dir should probably never be writable as this is a system folder and not a folder PHP should have access to on a per site basis
Quite frankly if you are having issues with include_path, upload_tmp_dir, and session.save_path then you need a better webhost - these should be set on a hosting level and not messed around with on a per Joomla install level.
@PhilETaylor this is information to export. So I'd see the most likely use case as a user giving this info to extension dev's to replicate environments etc
Then the question is how much do you trust extension developers :-)
Exporting absolute paths will not help extension developers replicate environments...
I was trying to remove all security relevant data from the output. I agree with Phil. The issue is when someone will post these data in forum etc
I have removed the information that won't help in any way to replicate enviroments. I think is better that we are more restrictive and then wait for someone asking that some information would be useful.
I'd like that a Windows user confirms that there is no private information shared there.
BTW thanks @PhilETaylor for checking it!
No worries :-)
Tested and it works BUT
Is there a reason that the order of each section in the download does not match the order of the tabs.
I think it would be better if the name of each section matched the name of the tabs
-
When hiding information in the download sometimes
xxxxxxis used and sometimessetI think it is better to be consistent and usexxxxxxor was there a specific reason to do this differently that I missed
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7129.
Thanks for the feedback @brianteeman.
I have rebased the PR against latest staging and based in your comments:
- Both text + json sections now follow the tabs order.
- Text file sections now use same titles than the tabs + additional string for Extensons.
- JSON still uses same keys instead of titles because using translatable titles here would make harder process the file with external tools.
- For consistency I replaced
setwithxxxxxx. Oldnot setstrings will just be empty. That way is easier to track all the information that has been set as private.
Any reason not to translate the number of seconds used in the title of the file produced to a real date as this number looks like it is the time elapsed since the epoch time?
Something like:
$today = date("Y-m-d_H-i-s"); // or $today = date("c");
[...]
header('Content-Disposition: attachment; filename="systeminfo-' . $today . '.txt"');
@phproberto Can you follow up on @infograf768 question? Thanks.
PR updated and @infograf768 's suggestion to get a human readable date implemented.
Thanks!
I have tested this item 
successfully on c823c3e
Works great. Filename is now something like: systeminfo-2015-11-03T09-43-44+01-00.json and systeminfo-2015-11-03T09-43-30+01-00.txt
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7129.
I have tested this item successfully on c823c3e
Obviously the security issues are clarified. Technically it works perfekt.
As those informations are for supporters, some toughts of me as a forum moderator/supporter:
Due to extensions, important infos for supporting are (beside others of course):
- what 3rd party extensions are installed (id > 700, #__extensions)
- wich plugins are published and their (fire-)ordering
- wich templates are involved/having page assignments
Core Components whow are maintained by the core are mostly irrelevant for support. And Modules too, as they 'living' all in their own 'universe', not interfere/manipulate with other extension parts. Templates who are not involved are irrelevant.
But I think that's all stuff for another rainy day 
But for the first implementation I would advise to add the publish state at least for plugins and modules, and ordering of the plugins groupwise + ordering ASC
Just my 20 cents. But anyway, it's a helpful feature for the future. Thanks for the work.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7129.
| Status | Pending | ⇒ | Ready to Commit |
| Labels | |||
Thanks lets RTC here and you can send you improvments with another PR or open a new issue for it ok? Thanks.
This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/7129.
| Labels |
Added:
?
|
||
Sure, that's what I mean with
"But I think that's all stuff for another rainy day "
| Status | Ready to Commit | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2015-11-03 20:43:55 |
| Closed_By | ⇒ | roland-d |
| Labels |
Removed:
?
|
||
@phproberto I get both on json and txt the following error code in the beginning of the files:
or simplified:
Notice: Trying to get property of non-object in /Users/dimitris/Documents/github_projects/joomla1/administrator/components/com_admin/models/sysinfo.php on line 424
Notice: Trying to get property of non-object in /Users/dimitris/Documents/github_projects/joomla1/administrator/components/com_admin/models/sysinfo.php on line 425
Notice: Trying to get property of non-object in /Users/dimitris/Documents/github_projects/joomla1/administrator/components/com_admin/models/sysinfo.php on line 426
Notice: Trying to get property of non-object in /Users/dimitris/Documents/github_projects/joomla1/administrator/components/com_admin/models/sysinfo.php on line 427
Notice: Trying to get property of non-object in /Users/dimitris/Documents/github_projects/joomla1/administrator/components/com_admin/models/sysinfo.php on line 428
Notice: Trying to get property of non-object in /Users/dimitris/Documents/github_projects/joomla1/administrator/components/com_admin/models/sysinfo.php on line 429