search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.34k stars 1.3k forks source link

GLPI_MARKETPLACE_DIR doesn't work #17241

Open 0xNath opened 5 months ago

0xNath commented 5 months ago

Code of Conduct

Is there an existing issue for this?

Version

10.0.15 and up to date 10.0.16-dev

Bug description

When using a custom folder location for the marketplace folder, the URL returned by the server looks something like that :

http://glpi.bazaar.test/var/lib/glpi/marketplace

This issue was already reported in the issue 9074 as well as on the forums : https://forum.glpi-project.org/viewtopic.php?id=281140

Relevant log output

No response

Page URL

No response

Steps To reproduce

  1. Do a fresh installation.
  2. Set the GLPI_MARKETPLACE_DIR variable in your "local_define.php" : 
    <?php
define('GLPI_VAR_DIR', '/var/lib/glpi/files');
define('GLPI_MARKETPLACE_DIR', '/var/lib/glpi/marketplace');
  3. Install the GLPI plugin "glpiinventory", I have tried several other plugins which were all failing too.
  4. Try to access a page related to the plugin, like the configuration page of the plugin.

Your GLPI setup information

Informations sur le système, l'installation et la configuration
GLPI 10.0.16-dev ( => /var/www/glpi)
Installation mode: GIT
Current language:fr_FR
Server
 
Operating system: Linux glpi 6.1.0-21-amd64 #​1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64
PHP 8.2.18 fpm-fcgi (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, bz2, calendar, cgi-fcgi, ctype, curl, date,
    dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre,
    pdo_mysql, posix, random, readline, session, shmop, sockets, sodium, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml,
    xmlreader, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files"
    upload_max_filesize="2M" disable_functions="" 
Software: nginx/1.22.1
    Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
Server Software: Debian 12
    Server Version: 10.11.6-MariaDB-0+deb12u1
    Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    Parameters: glpi@localhost/glpi
    Host info: Localhost via UNIX socket

PHP version (8.2.18) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter.
curl extension is installed.
gd extension is installed.
intl extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.11.6) is supported.
No files from previous GLPI version detected.
The log file has been created successfully.
Write access to /var/lib/glpi/files/_cache has been validated.
Write access to /var/lib/glpi/files/_cron has been validated.
Write access to /var/lib/glpi/files has been validated.
Write access to /var/lib/glpi/files/_dumps has been validated.
Write access to /var/lib/glpi/files/_graphs has been validated.
Write access to /var/lib/glpi/files/_lock has been validated.
Write access to /var/lib/glpi/files/_pictures has been validated.
Write access to /var/lib/glpi/files/_plugins has been validated.
Write access to /var/lib/glpi/files/_rss has been validated.
Write access to /var/lib/glpi/files/_sessions has been validated.
Write access to /var/lib/glpi/files/_tmp has been validated.
Write access to /var/lib/glpi/files/_uploads has been validated.

Web server root directory configuration seems safe.
Sessions configuration is secured.
OS and PHP are relying on 64 bits integers.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/lib/glpi/marketplace has been validated.
Access to timezone database (mysql) is not allowed.
GLPI constants
 
GLPI_ROOT: "/var/www/glpi"
GLPI_CONFIG_DIR: "/etc/glpi/"
GLPI_VAR_DIR: "/var/lib/glpi/files"
GLPI_LOG_DIR: "/var/log/glpi"
GLPI_MARKETPLACE_DIR: "/var/lib/glpi/marketplace"
GLPI_USE_CSRF_CHECK: "1"
GLPI_CSRF_EXPIRES: "7200"
GLPI_CSRF_MAX_TOKENS: "100"
GLPI_USE_IDOR_CHECK: "1"
GLPI_IDOR_EXPIRES: "7200"
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false
GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?|feed):\\/\\/[^@:]+(\\/.*)?$/"]
GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org"
GLPI_INSTALL_MODE: "GIT"
GLPI_NETWORK_MAIL: "glpi@teclib.com"
GLPI_NETWORK_SERVICES: "https://services.glpi-network.com"
GLPI_MARKETPLACE_ALLOW_OVERRIDE: true
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true
GLPI_USER_AGENT_EXTRA_COMMENTS: ""
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1"
GLPI_AJAX_DASHBOARD: "1"
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: "0"
GLPI_CENTRAL_WARNINGS: "1"
GLPI_TEXT_MAXSIZE: "4000"
GLPI_DOC_DIR: "/var/lib/glpi/files"
GLPI_CACHE_DIR: "/var/lib/glpi/files/_cache"
GLPI_CRON_DIR: "/var/lib/glpi/files/_cron"
GLPI_DUMP_DIR: "/var/lib/glpi/files/_dumps"
GLPI_GRAPH_DIR: "/var/lib/glpi/files/_graphs"
GLPI_LOCAL_I18N_DIR: "/var/lib/glpi/files/_locales"
GLPI_LOCK_DIR: "/var/lib/glpi/files/_lock"
GLPI_PICTURE_DIR: "/var/lib/glpi/files/_pictures"
GLPI_PLUGIN_DOC_DIR: "/var/lib/glpi/files/_plugins"
GLPI_RSS_DIR: "/var/lib/glpi/files/_rss"
GLPI_SESSION_DIR: "/var/lib/glpi/files/_sessions"
GLPI_TMP_DIR: "/var/lib/glpi/files/_tmp"
GLPI_UPLOAD_DIR: "/var/lib/glpi/files/_uploads"
GLPI_INVENTORY_DIR: "/var/lib/glpi/files/_inventories"
GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/"
GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
GLPI_I18N_DIR: "/var/www/glpi/locales"
GLPI_VERSION: "10.0.16-dev"
GLPI_SCHEMA_VERSION: "10.0.16-dev@7dbd7f198578e94ab3b1e733729ba60360a0bba7"
GLPI_MARKETPLACE_PRERELEASES: true
GLPI_MIN_PHP: "7.4.0"
GLPI_MAX_PHP: "8.4.0"
GLPI_YEAR: "2024"
Libraries
 
htmlawed/htmlawed version 1.2.14 in (/var/www/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.8.0 in (/var/www/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.7.5 in (/var/www/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/glpi/vendor/rlanvin/php-rrule/src)
ramsey/uuid in (/var/www/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/glpi/vendor/psr/cache/src)
league/csv in (/var/www/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 not found
symfony/polyfill-php82 in (/var/www/glpi/vendor/symfony/polyfill-php82)
league/oauth2-client in (/var/www/glpi/vendor/league/oauth2-client/src/Provider)
league/oauth2-google in (/var/www/glpi/vendor/league/oauth2-google/src/Provider)
thenetworg/oauth2-azure in (/var/www/glpi/vendor/thenetworg/oauth2-azure/src/Provider)
SQL replicas
 
Not active
Notifications
 
Way of sending emails: PHP
Plugins list
 
    glpiinventory        Name: GLPI Inventory                 Version: 1.3.5      State: Enabled                                 
        Install Method: Marketplace

Anything else?

I have not looked into the issue yet, so I don't know if this is a plugin issue, or a GLPI issue or both. I'll try to look into it and propose fix for GLPI and the repo plugins if possible.

cconard96 commented 5 months ago

I think I confirmed the issue in the generation of the "web" directory when the marketplace folder is moved outside the GLPI folder.

The relevant code:

public static function getWebDir(string $plugin_key = "", $full = true, $use_url_base = false)
    {
        /** @var array $CFG_GLPI */
        global $CFG_GLPI;

        $directory = self::getPhpDir($plugin_key, false);

        if ($directory === false) {
            return false;
        }

        $directory = ltrim($directory, '/\\');

        if ($full) {
            $root = $use_url_base ? $CFG_GLPI['url_base'] : $CFG_GLPI["root_doc"];
            $directory = "$root/$directory";
        }

        return str_replace('\\', '/', $directory);
    }

I think the best solution is to always serve marketplace plugins through the /marketplace path and proxy the requests to the actual marketplace location. So, calls to Plugin::getWebDir would always return something like http://glpi.bazaar.test/marketplace/glpiinventory while Plugin::getPhpDir returns /var/lib/glpi/marketplace/glpiinventory.

cedric-anne commented 5 months ago

Hi,

This is indeed a limitation.

We will be able to remove this limitation in GLPI 11.0, as the usage of the public/index.php router will be mandatory. Indeed, the router will be able to serve the plugin files, wherever they are located on the filesystem. It was not possible to do this in GLPI 10.0 as the usage of this router is still optional.

I keep this issue opened, as a reminder that we should work on it for GLPI 11.0.

cedric-anne commented 5 months ago

I forget to say that we will be able to remove this limitation when plgin files will no longer have to include the inc/includes.php file (will be done in #17213). Indeed, as long as this include exists, moving the files in another directory will broke this instruction, unless, maybe, if GLPI is added to the PHP include path, and that is not a common installation.