?
avatar agreif
agreif
12 Sep 2015

Hi,
I have the following installation:
nginx, fastCGI, php-fpm.
php-fpm lives in a chroot.

problem:
the update files are extracted to the wrong position if the php-fpm chroot is exactly the joomla-home:

/var/www/php_chroot/
                .../configuration.php
                .../administrator
                ...

After some debugging I found that the problem is the following:
JPATH_ROOT is "" and
JPATH_SITE is ""
but these are used in the reconstruction.php as the yip-extraction destination path. And if they are an empty string then the zip contents are extracted somewhere where the currently executing php-script lives:

/var/www/php_chroot/administrator/components/com_joomlaupdate

instead of directly in root ("/")

So I think, the bugfix would be to check whether JPATH_SITE is an emptu Strindg, and i this case to set it to "/" (root).

BTW everything works fine if the php-chroot is not the same as the joomla-home, say the joomla-home is one or more levels deeper like:

/var/www/php_chroot/docroot_joomla
                              .../configuration.php
                              .../administrator
                              ...

In this case
JPATH_ROOT is "/docroot_joomla" and
JPATH_SITE is "/docroot_joomla"

thanks,
ALex.

avatar agreif agreif - open - 12 Sep 2015
avatar zero-24 zero-24 - change - 17 Sep 2015
Labels Added: ?
avatar zero-24 zero-24 - change - 17 Sep 2015
Category Libraries
avatar thebodzio
thebodzio - comment - 24 Oct 2015

I fixed the problem you've mentioned in my fork: https://github.com/thebodzio/joomla-cms.

However, there's more to it than that. In administrator/components/com_joomlaupdate there's restore.php file. It seems to be responsible for extracting updates. I can't do proper analysis, but there's a lot of “rtrims” and “str_replaces” on kickstart.setup.destdir (AKA JPATH_SITE—set in administrator/components/com_joomlaupdate/models/default.php). These “trims” and “replaces” are stripping slashes from path.

IMHO that's a perfect suspect.

avatar tonypartridge
tonypartridge - comment - 19 Mar 2017

Should we look to close this? It was raised in 2015 and there have not be any references to it since then.....

@brianteeman

avatar rdeutz
rdeutz - comment - 19 Mar 2017

closing, can be reopened when confirmed in actual staging

avatar rdeutz rdeutz - change - 19 Mar 2017
The description was changed
Status New Closed
Closed_Date 0000-00-00 00:00:00 2017-03-19 08:36:51
Closed_By rdeutz
avatar rdeutz rdeutz - close - 19 Mar 2017

Add a Comment

Login with GitHub to post a comment