Resolved TMP subfolders not writable

Hello Pavel,

The tmp folder CSVI uses is constructed as JPATH_SITE . '/tmp/com_csvi'. So CSVI is really looking in the tmp folder from the Joomla root. What is the reason why the tmp folder has been moved out of the Joomla root?

Hello,

Joomla allows to specify logs, tmp and (since 3.7) cache folder absolute path in global configuration. I put these folders outside of Joomla rooot for security reasons. Logs is clear, tmp folder was in past many time target of attacks. It is even official Joomla recommendation, see https://docs.joomla.org/Security_Checklist/Joomla!_Setup

Correct way to check tmp folder in joomla should be IMHO

JFactory::getConfig()->get('tmp_path');

Pavel

Hey Pavel,

We used to use the tmp_path using the code you provided and that broke CSVI on quite a few sites due to incorrect log settings or rather no setting at all.

The documentation you linked has the text

Change this to a place that a casual browser cannot find (and don't pick /tmp/), or lock it down with http authentication. Because we are dealing with Open Source software, attackers can read the code of third-party extensions and may be able to guess log file names.

To some extend I agree with this but you can also put an .htaccess in this folder with a Deny from all. This will prevent reading the content of this folder as well.

Hi,

I can use htaccess, taht is true, for me it is just more clean solution to put the folder outside of root. Ok, this is not big deal, It was just first thing I mentioned when going through CSVI. However consider this please in future. It seems bit strange that because of bad configured sites CSVI does not work out of box on correctly configured sites (even maybe uncommon).

Pavel

Hey Pavel,

It seems bit strange that because of bad configured sites CSVI does not work out of box on correctly configured sites (even maybe uncommon).

There are simply more sites badly configured then there are sites uncommon configured

I will have another look at this.

There are simply more sites badly configured then there are sites uncommon configured

I am afraid, that you are completely right :-)
Ok, thanks for your effort...

Hello,

So I had some time to think about this and came up with an idea. I believe this should work for you as well. If you can apply the attached patch file and see if that works for you. Let me know how it goes.

Hello,

Did the patch work for you?

Hi,

sorry fo r late reply, I was on my holliday.

- when installing the patch itself, it creates path in www/tmp folder, instead of in the one configured in global configuration
- after aplying patch About screen reports correct folders.
- when running export, everything works, however www/tmp/com_csvi/export is still being created

Pavel

Hello Pavel,

That the path is still created when installing the patch is to be expected because you are still running the old code at that point. That the folder is still being created is now fixed in the attached patch file.

If you could give it another try please. In my case, no tmp folder has been created in the Joomla root.

Hi,

I tried install patch again, and you are right, for the second time, during installation, patch path was created in correct folder.
However, when running simple VM export, still com_csvi/export is being created in tmp folder in www root, not the path in global configuration.

Try to see attached patch, this solved this issue for me, however there are more places in the code (for example in VM addon in /com_virtuemart/model/maintenance.php), where the JPATH_SITE .'/tmp' is hardcoded. Also csvi.php in the frontend should be modified similar way as your patch.

Pavel

Hello Pavel,

Yes, it seems I missed a few places. I believe the attached patch file has all the fixes in place. Can you give it another run? Thank you.