We should not remove files via the upgrader

Discussion corner for Developers of Serendipity.
Post Reply
User avatar
onli
Regular
Posts: 2230
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

We should not remove files via the upgrader

Post by onli » Tue Jun 16, 2015 9:47 pm

In the upgrader, we have a few tasks that remove files from serendipity. These are especially the files unter /htmlarea. I think that this is a problem, and it explains a few of the upgrade problems we saw.

1. If the upgrader fails to remove those files, it can happen that the upgrader fails completely. Just happend in my test-blog (from 2.0.2 to 2.1)
2. A good configured server should not give serendipity the rights to remove those files. They are not under /uploads or under /templates_c, not even under /templates.

The combination of these two points looks like a critical mistake on our side to me.

To see a list of the files to remove, see https://github.com/s9y/Serendipity/blob ... nc.php#L20

I think we should remove those upgrader tasks, especially those for 2.0 and newer versions. Garvin, what do you think?

User avatar
garvinhicking
Core Developer
Posts: 30014
Joined: Tue Sep 16, 2003 9:45 pm
Location: Cologne, Germany
Contact:

Re: We should not remove files via the upgrader

Post by garvinhicking » Wed Jun 17, 2015 10:19 am

Hi!

IMO we should rather try to make the upgrade fail "gracefully". I thought we did that with the iterator, that in case of permission problems the function should not fail...

Removing the listed files is a good thing due to security, so I'd really like to keep it...
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/

User avatar
Timbalu
Regular
Posts: 4598
Joined: Sun May 02, 2004 3:04 pm

Re: We should not remove files via the upgrader

Post by Timbalu » Wed Jun 17, 2015 10:31 am

onli wrote:1. If the upgrader fails to remove those files, it can happen that the upgrader fails completely. Just happend in my test-blog (from 2.0.2 to 2.1)
Try it again, Sam. It may have been since my patch yesterday went accidently into the wrong list.
Regards,
Ian

Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian

User avatar
onli
Regular
Posts: 2230
Joined: Tue Sep 09, 2008 10:04 pm
Contact:

Re: We should not remove files via the upgrader

Post by onli » Wed Jun 17, 2015 11:19 am

Ian, that'd be nice, I'll test it.

Code: Select all

Removing the listed files is a good thing due to security, so I'd really like to keep it...
That is only true for htmlarea, no? We could keep that removal, but remove the others, which would mean that less upgrades are affected.

Post Reply