Downloads don;t work after updating to 2.3.5

  • Posts: 31
  • Thank you received: 1
9 years 10 months ago #185128

-- HikaShop version -- : 2.3.5
-- Joomla version -- : 2.5
-- Error-message(debug-mod must be tuned on) -- : file not found

After updating from 2.3.4 to 2.3.5 downloads don't work anymore
I have my downloadables outside website's root folder as it is suggested for security reasons and configured the path like this: ../MY_SECURE_FOLDER/
It was working for a year now, what could possibly go wrong?

Last edit: 9 years 10 months ago by onsitenet. Reason: I reverted to 2.3.4 and it's working now!

Please Log in or Create an account to join the conversation.

  • Posts: 193
  • Thank you received: 76
9 years 10 months ago #185133

I can confirm this bug on latest Hikashop 2.3.5.

Path to 'uploadsecurefolder' has missing trailing slash.
Quick fix is to change file administrator\components\com_hikashop\classes\file.php
on line 363 from

$path = $this->getPath('file');
to
$path = $this->getPath('file').'/';

This issue comes from latest change in getPath() method on lines 695-698.
Function realpath() strips trailing delimiter.

Last edit: 9 years 10 months ago by korzo.

Please Log in or Create an account to join the conversation.

  • Posts: 26158
  • Thank you received: 4028
  • MODERATOR
9 years 10 months ago #185138

Hi onsitenet,

First, can you please re-download HikaShop 2.3.5 in order to be sure that you're using the last package.
The "download file" system has been modified in the last version with some security improvements ; the ".." directory is no more authorize and it is prefered to specify the absolute path, so the system can always check that the requested file is right in the secure folder.

Regards,

Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.
Last edit: 9 years 10 months ago by Jerome.

Please Log in or Create an account to join the conversation.

  • Posts: 193
  • Thank you received: 76
9 years 10 months ago #185150

I have the latest version downloaded today(17:29).

File administrator\components\com_hikashop\classes\file.php was last modified 02.01.2015 and this modification introduced this bug.

Also all other methods using method getPath() are not working correctly.
Files uploaded before this change can't be downloaded or deleted.

Files uploaded after this change are located in wrong location, as last folder in path is prepended to file name.
Also "safe" folder is no longer safe, as .htaccess file is saved as safe.htaccess .
For example I uploaded file payment.jpg to product id 97 on demo site and it's accessible over url:
http://demo.hikashop.com/media/com_hikashop/upload/safepayment.jpg

Last edit: 9 years 10 months ago by korzo.

Please Log in or Create an account to join the conversation.

  • Posts: 31
  • Thank you received: 1
9 years 10 months ago #185166

How would this "absolute path" look like?
...an example(?)

Please Log in or Create an account to join the conversation.

  • Posts: 26158
  • Thank you received: 4028
  • MODERATOR
9 years 10 months ago #185155

Hi Korzo,

I don't think that you have the same exact problem than "onsitenet".
For the missing slash ; it comes from the "realpath + JPath::clean" functions, I made some modifications and Nicolas just upload a new package.

Regards,

Jerome - Obsidev.com
HikaMarket & HikaSerial developer / HikaShop core dev team.

Also helping the HikaShop support team when having some time or couldn't sleep.
By the way, do not send me private message, use the "contact us" form instead.

Please Log in or Create an account to join the conversation.

  • Posts: 31
  • Thank you received: 1
9 years 10 months ago #185176

any chance someone give me an example?
(...it's for apache server with cpanel)

Please Log in or Create an account to join the conversation.

  • Posts: 193
  • Thank you received: 76
9 years 10 months ago #185179

Jerome:
I hadn't problem at all. I was able to reproduce the issue on my dev machine, but failed to explain it.
As I can see it's fixed now.

onsitenet:
Chances are you have to change nothing. Download the latest version(uploaded minutes ago) and update your site.(don't forget to make a backup).
It should work as before update to 2.3.5.

Last edit: 9 years 10 months ago by korzo.
The following user(s) said Thank You: onsitenet

Please Log in or Create an account to join the conversation.

  • Posts: 31
  • Thank you received: 1
9 years 10 months ago #185187

That is correct! I've changed nothing and it works now.

I'm still interested to what Jerome said about "absolute path" because I always worry about security. I wish this can be clarified now we're bumped into it.

Thank you 2 ...and many thanks to the Devs for being quick & responsive.

Please Log in or Create an account to join the conversation.

  • Posts: 82866
  • Thank you received: 13373
  • MODERATOR
9 years 10 months ago #185189

Hi,

Suppose that your website is in the folder /var/www/ and that the secure folder where you put your files is /var/secure/
the path /var/secure/ is the absolute path of your secure folder while ../secure/ is the relative path to your secure folder.
Both are correct and you can use both in the option of HikaShop. There was a bug with the relative path handling in HikaShop 2.3.5 and that's why Jerome recommended that you set the absolute path instead of the relative path.

Please Log in or Create an account to join the conversation.

Time to create page: 0.085 seconds
Powered by Kunena Forum