View Issue Details

This bug affects 1 person(s).
 12
IDProjectCategoryView StatusLast Update
16613Bug reportsPluginspublic2021-03-19 10:33
ReporterDietrich Streifert Assigned ToLimeBot  
PrioritynormalSeverityminor 
Status feedbackResolutionopen 
Product Version4.3.10 
Summary16613: plugin manager ommits installation of files in path upload/plugins/limeMpdf/views/subview/svg when installing limeMpdf
Description

I've installed the limeMpdf plugin from https://gitlab.com/SondagesPro/coreAndTools/limeMpdf and used the test links offered in Plugin Manager present for the limeMpdf plugins settings tab.

The tests do not work because files contained in the Installation zip file are not copied over in the target path upload/plugins/limeMpdf/views/subview/svg

Manually installing those files from the zip resolved the problem.

Steps To Reproduce

Download the limeMpdf plugin installation file from https://dl.sondages.pro/limeMpdf.zip
Install it with the LimeSurvey Plugin manager found under "Configuration" -> "Settings" -> "Plugin manager" and there the button "Install ZIP".
After installation find the plugin "llimePDF" in the plugin list and click on that line to open the "Settings" tab of the plugin.
Click on one of the displayed demonstration links
See the error message "Server Error 500"

TagsNo tags attached.
Bug heat12
Complete LimeSurvey version number (& build)Version 4.3.10+200812
I will donate to the project if issue is resolvedNo
Browser
Database type & versionirrelevant
Server OS (if known)
Webserver software & version (if known)
PHP Version7.3

Users monitoring this issue

DenisChenu

Activities

Dietrich Streifert

Dietrich Streifert

2020-08-24 12:50

reporter   ~59587

See issue SondagesPro issue https://gitlab.com/SondagesPro/coreAndTools/limeMpdf/-/issues/3

LimeBot

LimeBot

2020-09-10 11:18

administrator   ~59767

Hi ,

In LS4 Uploading SVG Files are restricted for security reasons .They files will be deleted after unzip. So the Plugin developper should replace the svg files (Even if the are integrated in a twig file) with png or jpeg files. But you have the possibility to upload it manually (At your own risk) to your own host.

DenisChenu

DenisChenu

2020-09-15 16:42

developer   ~59829

Last edited: 2020-09-15 16:43

@eddylackmann : it's Plugins upload, not template upload …

plugins upload alrteady allow PHP files …

And here : it's twig file with svg content …

DenisChenu

DenisChenu

2020-09-15 16:43

developer   ~59830

I check : but bthhink rename .svg.twig to _svg.twig can work …

DenisChenu

DenisChenu

2020-09-17 16:07

developer   ~59862

@eddylackmann : i confirm : same file renamed with .svg.twig : it's OK.

  1. Any file with .svg inside : deleted : this is a bad control …
  2. You can not allow php file but disallow svg
DenisChenu

DenisChenu

2020-09-17 16:10

developer   ~59863

In LS4 Uploading SVG Files are restricted for security reasons .

You can not allow PHP (and js) file but not svg

They files will be deleted after unzip.

It's false here : any file contain .svg in name seems deleted (i can create a sample plugin)

But you have the possibility to upload it manually (At your own risk) to your own host.

We already show an alert about plugin : plugin contain PHP file . More risk than a XSS here …

DenisChenu

DenisChenu

2020-09-17 17:03

developer   ~59864

svgPlugin.zip (1,571 bytes)
DenisChenu

DenisChenu

2020-09-17 17:04

developer   ~59865

    public function beforeActivate()
    {
        $checkFile = is_file("checkexist.svg.txt");
        if(!$checkFile) {
            $this->getEvent()->set("success",false);
            $this->getEvent()->set("message","The file didn't exist");
        }
    }
Mazi

Mazi

2020-12-07 10:25

updater   ~60846

I the core problem related to the SVG or to the path settings? Because when uploading from a ZIP file the files get into a different folder /limesurvey/upload/... compared to uploading manually to /limesurvey/plugins which is the old, default plugin path e.g. at LS3.x.
It was mentioned that manually installing the plugin did the trick for the user so maybe it's the path problem?

LimeBot

LimeBot

2020-12-07 11:45

administrator   ~60856

@mazi in LS4 the new publing path is located at /limesurvey/upload/plugings/ it can be the problem if you hardcoded the path in your code.

DenisChenu

DenisChenu

2020-12-07 14:30

developer   ~60857

Something i use a lot , in init
Yii::setPathOfAlias(get_class($this), dirname(__FILE__));

See https://github.com/LimeSurvey/LimeSurvey/commit/09a17aa296b366103184e4bc957a297d65d8944c

LimeBot

LimeBot

2020-12-07 17:35

administrator   ~60858

@DenisChenu yes i start to use it also ;) ! Thanx for the tip ;)

c_schmitz

c_schmitz

2021-03-19 09:53

administrator   ~63454

The status on this issue is not clear to me.
Is this now a problem of a hard coded path in the plugin or a problemin LimeSurvey?

DenisChenu

DenisChenu

2021-03-19 10:33

developer   ~63463

Is this now a problem of a hard coded path in the plugin or a problemin LimeSurvey?

«plugin manager ommits installation of files in path upload/plugins/limeMpdf/views/subview/svg»

svg file was deleted when use upload plugins system in 4.X

Since plugin have php file : no reason to disable svg or any other file.
Like when we allo js file : no reason to disable svg.

Issue History

Date Modified Username Field Change
2020-08-24 12:42 Dietrich Streifert New Issue
2020-08-24 12:50 Dietrich Streifert Note Added: 59587
2020-08-26 15:29 cdorin Assigned To => LimeBot
2020-08-26 15:29 cdorin Priority none => normal
2020-08-26 15:29 cdorin Status new => confirmed
2020-08-26 15:29 cdorin Zoho Sprints => |Yes|
2020-09-10 11:18 LimeBot Note Added: 59767
2020-09-10 11:18 LimeBot Status confirmed => acknowledged
2020-09-15 16:42 DenisChenu Note Added: 59829
2020-09-15 16:43 DenisChenu Note Edited: 59829
2020-09-15 16:43 DenisChenu Issue Monitored: DenisChenu
2020-09-15 16:43 DenisChenu Note Added: 59830
2020-09-17 16:07 DenisChenu Note Added: 59862
2020-09-17 16:07 DenisChenu Status acknowledged => feedback
2020-09-17 16:10 DenisChenu Note Added: 59863
2020-09-17 17:03 DenisChenu Note Added: 59864
2020-09-17 17:03 DenisChenu File Added: svgPlugin.zip
2020-09-17 17:04 DenisChenu Note Added: 59865
2020-09-17 17:04 DenisChenu File Added: Capture d’écran du 2020-09-17 17-04-02.png
2020-10-28 18:52 LimeBot Sync to Zoho Project => |Yes|
2020-10-29 09:20 LimeBot Sync to Zoho Project Yes => |Yes|
2020-10-29 09:24 LimeBot Sync to Zoho Project Yes => |Yes|
2020-12-07 10:25 Mazi Note Added: 60846
2020-12-07 11:45 LimeBot Note Added: 60856
2020-12-07 14:30 DenisChenu Note Added: 60857
2020-12-07 17:35 LimeBot Note Added: 60858
2021-03-19 09:53 c_schmitz Note Added: 63454
2021-03-19 10:33 DenisChenu Note Added: 63463