soren121
commented
9 years ago From doodle62 on August 18, 2012 17:05:45
Interesting. I have checks for this kind of stuff in install.php, but apparently, update.php doesn't. I'll get this fixed soon.
Status: Accepted
Labels: -Priority-Medium Priority-Critical
From j...@kodewerx.org on August 18, 2012 18:41:22
When I attempted to update my lightblog installation, I ran into an HTTP 500 after clicking the Upgrade button in update.php. The server log says:
[Sat Aug 18 04:21:02 2012] [error] PHP Fatal error: Uncaught exception 'SQLiteException' with message 'SQLiteDatabase::construct(): unable to open database: /htdocs/blog/5-ZS,qAE-iHEiLXrT5aDIpRPbd,2ZtY6L-ywys558i282xZ0tb.db' in /htdocs/blog/update.php:110\nStack trace:\n#0 /htdocs/blog/update.php(110): SQLiteDatabase->construct('5-ZS,qAE-iHEiLX...')\n#1 /htdocs/blog/update.php(284): create_temp_db('CREATE TABLE 'c...')\n#2 /htdocs/blog/update.php(311): update()\n#3 {main}\n thrown in /htdocs/blog/update.php on line 110
(Note, this was from SVN r568 .)
The directory chosen for the temp db file (/htdocs/blog) is not writable by the webserver (for obvious security reasons). Using /tmp is ok, if read permissions are restricted when the file is created (mode 0600).
My recommendation (without a very broad knowledge of the lightblog update process) is to first check if the working directory is writeable. If not, try /tmp. In both cases, set the permissions accordingly.
The reasoning behind using file system permissions is: In the case of an error, it could keep the temporary file around, which may possibly expose password hashes or other sensitive content to the internet(!) or other users on the server. Unfortunately, I don't know how well this would work on a Windows server.
Also, is there any reason it is not using the db directory for the temp file? That would be an ideal place to try first, instead of the php directory. :)
Original issue: http://code.google.com/p/lightblog/issues/detail?id=55