Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

DataObjectManager Module /

Discuss the DataObjectManager module, and the related ImageGallery module.

Moderators: martimiz, UncleCheese, Sean, Ed, biapar, Willr, Ingo, swaiba

Security related issue in ImageGallery


Go to End


2 Posts   1748 Views

Avatar
anthoro

Community Member, 4 Posts

5 October 2010 at 3:16am

I'm having trouble using the ImageManager module. There is some security issue going on between 2 users, my user account (myaccount) and the apache user (www-data).

When i uploaded the site, it was created with my user account (myaccount). The same account is used when I upload files or create folders using FTP. No problem with that.

Files and folders created through the website however, are created with the apache user (www-data).
This is where I think things start the go wrong.
When a new ImageGalleryPage is created, it succesfully creates the 'New-ProjectPage' in the assets/image-gallery/ folder (with owner 'www-data' and mask 0755). When the module tries to create a new sub-folder ('Default Album'), the error occurs.

I'm using the latest versions of SilverStripe v2.4.2, ImageGallery v1.0 r493 and DataObjectManager r504.

Is there anyone that can help me with this issue as this is blocking me from further developping this site with SilverStripe?

The AddPageOptionsForm action returns following error:

ERROR [Warning]: mkdir() [<a href='function.mkdir'>function.mkdir</a>]: SAFE MODE Restriction in effect. The script whose uid is 10096 is not allowed to access /var/www/vhosts/myaccount/httpdocs/assets/image-gallery/New-ProjectPage owned by uid 33
IN POST /admin/AddPageOptionsForm
Line 26 in /var/www/vhosts/myaccount/httpdocs/sapphire/filesystem/Filesystem.php

Source
======
17: * Create a folder on the filesystem, recursively.
18: * Uses {@link Filesystem::$folder_create_mask} to set filesystem permissions.
19: * Use {@link Folder::findOrMake()} to create a {@link Folder} database
20: * record automatically.
21: *
22: * @param String $folder Absolute folder path
23: */
24: static function makeFolder($folder) {
25: if(!file_exists($base = dirname($folder))) self::makeFolder($base);
* 26: if(!file_exists($folder)) mkdir($folder, Filesystem::$folder_create_mask);
27: }
28:
29: /**
30: * Remove a directory and all subdirectories and files.
31: *
32: * @param String $folder Absolute folder path

Trace
=====
<ul>mkdir(/var/www/vhosts/myaccount/httpdocs/assets/image-gallery/New-ProjectPage/Default-Album/,511)
line 26 of Filesystem.php

Filesystem::makeFolder(/var/www/vhosts/myaccount/httpdocs/assets/image-gallery/New-ProjectPage/Default-Album/)
line 54 of Folder.php

Folder::findOrMake(image-gallery/New-ProjectPage/Default Album)
line 104 of ImageGalleryPage.php

ImageGalleryPage->requireDefaultAlbum()
line 86 of ImageGalleryPage.php

ImageGalleryPage->checkFolder()
line 63 of ImageGalleryPage.php

ImageGalleryPage->onAfterWrite()
line 1056 of DataObject.php

DataObject->write()
line 559 of CMSMain.php

CMSMain->addpage(Array,Form,SS_HTTPRequest)
line 300 of Form.php

Form->httpSubmission(SS_HTTPRequest)
line 137 of RequestHandler.php

RequestHandler->handleRequest(SS_HTTPRequest)
line 155 of RequestHandler.php

RequestHandler->handleRequest(SS_HTTPRequest)
line 147 of Controller.php

Controller->handleRequest(SS_HTTPRequest)
line 281 of Director.php

Director::handleRequest(SS_HTTPRequest,Session)
line 124 of Director.php

Director::direct(/admin/AddPageOptionsForm)
line 127 of main.php

</ul>

Avatar
anthoro

Community Member, 4 Posts

7 October 2010 at 1:11am