JPath::check Snooping out of bounds

[mhoney]

For various reasons I need to move my Joomla/Jdownloads site from Linux to Windows.   Moving the site and all the data along with database went smooth and ALMOST everything works.  I can't upload files using the web admin interface under jdownloads>files.  Adding a file works and when I press the upload button I even get the green checkbox indicating it uploaded, but the file never shows up in the uploads directory.  Using the developer tools in Chrome I see this error:

POST http://commodore.software/administrator/index.php?option=com_jdownloads&no_html=1&task=uploads.upload&9eb8debf4b6ae54782e46adb2d2e59bb=1 500 (JPath::check Snooping out of bounds @ \xampp\htdocs\commodore.software\jdownloads\) - plupload.full.min.js:15

The thing is, that path is not out of bounds.  It is clearly a subdirectory under the root of my main site.  From what I could find, that JPath check looks for attempts to access folder outside of the root of your site.

After some googling I found that some people have fixed this by modifying  this Joomla file - libraries/joomla/filesystem/path.php - I fooled around with that file and got the uploads to work but then other areas of jdownloads started to break so I put everything back and am posting here to hopefully find an answer.

[ColinM]

Hi
When you moved your site did you also change the 'Upload directory path' in Config - Downloads tab?

It should have the same basic structure as the 'Path to Temp folder' in the Joomla! Global Config - Server Settings except with jdownloads in place of tmp
it is also like Path to Log Folder in Global Config - System Settings.

Colin

[mhoney]

Yup, changed all the paths.  everything works 100% except for uploads.  In the config are I even get the green writeable for all the paths.

[ColinM]

Hi
Would like you to do a test as below to see f we can identify the problem step.

As a test could you please ensure that Automonitoring in Config - Monitoring tab is set to No
Also as a test try a single small file, such as a pdf or png file whose size is less than 50kb

Go to Files Section in Backend
Click on Upload Files button
Add file to form by either
   either dragging file from Windows Explorer
   or by using the Add button to select file in Windows Explorer
Then use the Start Upload button. After this the file should be uploaded and have a 100% and a green tick
At this stage the file should be in your jdownloads directory - could you please check using say ftp or your server facilities (not a Joomla! component such as Extplorer)

Click on Files button and you should see your file listed with a checkbox on the left and a 'create download' link on the right.
click on the checkbox next to filename and then click on 'create download' link.
this should activate the Add Download form
Set the name for the Download and select a Category
Ensure view Acces is Public
Also in the Files Data tab of the form see that the uploaded file is shown in the Alternative field
Now click Save or Save & Close
The new Download should now be in the appropriate directory and should appear in your list of Downloads

Please let me know at which step it fails, or if it does not fail, then try two small files.

Colin

[mhoney]

It's been a long time since I made this post, and I'm sorry I didn't post the solution back then.  I suppose it's better late than never.  Anyway, it seems that the PLupload asset does some sniffing outside of what Joomla allows.  The fix to the issue is to comment out some checking in the /libraries/joomla/filesystem/path.php file:

public static function check($path)
   {
      if (strpos($path, '..') !== false)
      {
         // Don't translate
         throw new Exception('JPath::check Use of relative paths not permitted', 20);
      }

      $path = self::clean($path);

      //if ((JPATH_ROOT != '') && strpos($path, self::clean(JPATH_ROOT)) !== 0)
      //{
   //      throw new Exception('JPath::check Snooping out of bounds @ ' . $path, 20);
   //   }

      return $path;
   }


The lines I commented out were 175 - 178 and magically the plupload worked again.  I have confirmed this issue using both XAMPP and Abyss webservers on the Windows platform.  The issue doesn't seem to exist on Linux.

As a side note - If you're concerned about commenting out those lines for security reasons, you can just set the Uplaoder Runtime to HTML4 in the configuration/uploads section and things seem to work fine.

[mhoney]

Small correction (for some reason I can't edit my original post) - the file seems to be in a different place with newer versions of Joomla.  I'm currently running Joomla 3.9.5 and the file has moved to /libraries/src/Filesystem/path.php and the lines to comment out are 185 - 197

[ColinM]

HiInteresting
Several of my test sites are running on XAMPP ( I have not used Abyss) and I have not had a problem.This may be because I am not setting them up as a server open to the world.Which version of Windows are you using?
Think the Plupload code is part of Joomla! not jDownloads.Best wishesColin