search

osCommerce / oscommerce2

osCommerce Online Merchant v2.x
http://www.oscommerce.com
MIT License
281 stars 222 forks source link

DIR_FS_CACHE & USE_CACHE not integrated properly #603

Open mgutt opened 6 years ago

mgutt commented 6 years ago

osC 2.3.4

1.) The installation pack should contain a catalog/cache/ folder including the following .htaccess: deny from all

2.) The default value of USE_CACHE should be true or better remove this constant as it does not make sense to disable the cache. Instead you could leave the DIR_FS_CACHE value empty.

3.) The default value of DIR_FS_CACHE should be DIR_FS_DOCUMENT_ROOT . '/cache/'. Add an explanation how to set this path or better move those values to configure.php (yes, delete them from the configuration database table) so it can not be changed through the admin panel. Instead it makes more sense to have a "reset cache" option in the admin panel.

4.) Add a "cache dir exists" and "cache is writable" check to the security checks

Reasons:

a) The USE_CACHE constant is not used very well. For example you can set USE_CACHE to false and if DIR_FS_CACHE exists it nevertheless writes multiple cache files in this dir like the last version check date, rss feed in admin, etc.

b) And if you move your shop to another host, the cache path is wrong as it contains an absolute path.

Kymation commented 6 years ago
  1. OsCommerce 2.3.4 should use the /catalog/includes/work/ directory for cache files, not /catalog/cache/.
  2. Cache should never be the default. Cache should only be used as a temporary fix until the real problem can be solved.

Absolute paths are still a part of the osCommerce configuration and will still need to be changed if the install is moved to a different server. It would be better to solve this problem for all fixed paths and not just for cache.

mgutt commented 6 years ago

1.) Then please make DIR_FS_DOCUMENT_ROOT . '/includes/work/' the default path.

2.) It should, fine, but it isn't. For example every time you open the admin panel it sends requests to the rss feeds apis. And it displays everytime that no version check was done. No matter how often the user performed it. And you forget extensions. I'm using a file based sql query cache. So there must be a default cache folder. And of course it shouldn't be an absolute path in my opinion.

Absolute paths are still a part of the osCommerce configuration Yes, but only if you use the install wizard:

$dir_fs_document_root = $HTTP_POST_VARS['DIR_FS_DOCUMENT_ROOT'];
...
'  define(\'DIR_FS_CATALOG\', \'' . $dir_fs_document_root . '\');' . "\n" .

This could be easily solved by making this setting in the wizard optional and changing it to the same line that is already part of the default configure.php: define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/');

Thats how I use it. And I wish to have the same option for the cache path.