support non “/tmp” upload dir

  • Resolved maltfield

    (@maltfield)


    7 years, 4 months ago

    First, thanks for the great plugin ??

    I discovered a bug: vcaching currently errors-out when attempting to generate varnish config files when the “upload_tmp_dir” is set to something other than “/tmp”.

    PHP is commonly hardened by using an alternate dir for storing temporary files other than “/tmp” (and consequetently leaving it out of the “open_basedir” list)–since the “/tmp” directory is necessarily world-writable. For example, this hardening guide recommends setting “upload_tmp_dir = /var/lib/php/tmp_upload” in /etc/php.ini

    * https://howtogetonline.com/how-to-harden-your-php-for-better-security.php

    Unfortunately, the current version of vcaching.php has the lines:

    $tmpfile = tempnam("tmp", "zip");

    which errors-out with this

    
[Mon Nov 13 18:26:08.125913 2017] [:error] [pid 16227] [client 127.0.0.1:42956] PHP Warning:  tempnam(): open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (/home/wp/.wp-cli:/usr/share/pear:/var/lib/php/tmp_upload:/var/lib/php/session:/var/www/html/) in /var/www/html/htdocs/wp-content/plugins/vcaching/vcaching.php on line 915, referer: https://mysite/wp-admin/index.php?page=vcaching-plugin&tab=conf
[Mon Nov 13 18:26:08.125948 2017] [:error] [pid 16227] [client 127.0.0.1:42956] PHP Warning:  ZipArchive::open(): Empty string as source in /var/www/html/htdocs/wp-content/plugins/vcaching/vcaching.php on line 917, referer: https://mysite/wp-admin/index.php?page=vcaching-plugin&tab=conf

    The first argument to the “tempnam()” function should be changed to a variable, which is set to the result of the “sys_get_temp_dir()” function.

    * https://secure.php.net/manual/en/function.sys-get-temp-dir.php

Viewing 3 replies - 1 through 3 (of 3 total)
Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘support non “/tmp” upload dir’ is closed to new replies.