In the upgrader, we have a few tasks that remove files from serendipity. These are especially the files unter /htmlarea. I think that this is a problem, and it explains a few of the upgrade problems we saw.
1. If the upgrader fails to remove those files, it can happen that the upgrader fails completely. Just happend in my test-blog (from 2.0.2 to 2.1)
2. A good configured server should not give serendipity the rights to remove those files. They are not under /uploads or under /templates_c, not even under /templates.
The combination of these two points looks like a critical mistake on our side to me.
To see a list of the files to remove, see https://github.com/s9y/Serendipity/blob ... nc.php#L20
I think we should remove those upgrader tasks, especially those for 2.0 and newer versions. Garvin, what do you think?
We should not remove files via the upgrader
-
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: We should not remove files via the upgrader
Hi!
IMO we should rather try to make the upgrade fail "gracefully". I thought we did that with the iterator, that in case of permission problems the function should not fail...
Removing the listed files is a good thing due to security, so I'd really like to keep it...
IMO we should rather try to make the upgrade fail "gracefully". I thought we did that with the iterator, that in case of permission problems the function should not fail...
Removing the listed files is a good thing due to security, so I'd really like to keep it...
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: We should not remove files via the upgrader
Try it again, Sam. It may have been since my patch yesterday went accidently into the wrong list.onli wrote:1. If the upgrader fails to remove those files, it can happen that the upgrader fails completely. Just happend in my test-blog (from 2.0.2 to 2.1)
Regards,
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Ian
Serendipity Styx Edition and additional_plugins @ https://ophian.github.io/ @ https://github.com/ophian
Re: We should not remove files via the upgrader
Ian, that'd be nice, I'll test it.
That is only true for htmlarea, no? We could keep that removal, but remove the others, which would mean that less upgrades are affected.
Code: Select all
Removing the listed files is a good thing due to security, so I'd really like to keep it...