Page 1 of 1
not within the allowed path - warning after installation
Posted: Thu Oct 05, 2017 5:34 am
by todavy
Everytime I reinstall OC 3.0.2.0 on my webserver I get this warning at the top of the admin page:
Code: Select all
Warning: realpath(): open_basedir restriction in effect. File(/home/httpd/vhosts/mydomain.com) is not within the allowed path(s): (/home/httpd/vhosts/mydomain.com/httpdocs/:/tmp/) in /home/httpd/vhosts/mydomain.com/httpdocs/admin/controller/common/security.php on line 26
It disappears if I change
Code: Select all
$data['document_root'] = str_replace('\\', '/', realpath($this->request->server['DOCUMENT_ROOT'] . '/../') . '/');<br />
to
Code: Select all
$data['document_root'] = str_replace('\\', '/', realpath($this->request->server['DOCUMENT_ROOT'] . '') . '/');
in the file admin/controller/common/security.php
Is this a bug or just some security problem on my webserver? Would my code change affect some other function?
Re: not within the allowed path - warning after installation
Posted: Fri Oct 27, 2017 1:32 pm
by bonnie65
I tried what you said and it worked.
I don't know if it's a bug or what but it was happening to me also until I did what you suggested above.
I hope someone will address this soon for both of us but for the time being I'm with what you did.
Re: not within the allowed path - warning after installation
Posted: Fri Oct 27, 2017 8:35 pm
by straightlight
This issue has now been addressed.
Re: not within the allowed path - warning after installation
Posted: Sat Oct 28, 2017 12:25 pm
by bonnie65
But my question is by doing the edit above does it create a security issues or not?
Re: not within the allowed path - warning after installation
Posted: Sat Oct 28, 2017 9:41 pm
by straightlight
If the root path of your domain has been restricted not to go beyond any parent paths on your FTP, it would not create any leaks at this point. Although, the original code may also not prevent anyone to try to change directory to a prior folder when the root path is not restricted still. Which means, your provided solution will not make any difference based on folders security but only the accessibility.
Re: not within the allowed path - warning after installation
Posted: Sun Oct 29, 2017 11:49 am
by bonnie65
Thank you straightlight
At least i know I'm covered then because when on my live server (VPS) I shut down ftp after I've uploaded everything any way.
Re: not within the allowed path - warning after installation
Posted: Sun Oct 29, 2017 8:47 pm
by straightlight
bonnie65 wrote: ↑Sun Oct 29, 2017 11:49 am
Thank you straightlight
At least i know I'm covered then because when on my live server (VPS) I shut down ftp after I've uploaded everything any way.
Wise precaution. Although, if you need to edit PHP files from your file manager host console, ensure to re-upload the files with the right charset settings. Otherwise, your files might get corrupted.
Re: not within the allowed path - warning after installation
Posted: Wed Feb 21, 2018 10:52 am
by freebox
This problem still occurs. The script should not require an executable path for PHP in its parent directory, over DOCUMENT_ROOT.
Re: not within the allowed path - warning after installation
Posted: Wed Feb 21, 2018 1:40 pm
by IP_CAM
One of those could possibly be of help in such situations:
---
GGW Installer fix Allow ALL directories to be written
https://www.opencart.com/index.php?rout ... n_id=31130
---
Remove "Important Security Notification" 3.x
https://www.opencart.com/index.php?rout ... n_id=31807
----
