HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Smarty_Security._checkDir() error upon upgrade to 2021.012 version

vivacelixvivacelix New
edited August 2021 in Vanilla 3.x Help

Hello all,

Thank you Vanilla team for continuing to release open source versions.

I am currently on Version 3.3 and have been trying to upgrade to 2021.011 unsuccessfully, then 2021.012 when it came out, however I get this error during /utility/update step for both newer versions:


Fatal Error in Smarty_Security._checkDir();

Smarty Security: not trusted file path 'C:\inetpub\wwwroot\[my_website]\forum\applications\dashboard\views\empty.master.tpl'

The error occurred on or near: C:\inetpub\wwwroot\[my_website]\forum\vendor\smarty\smarty\libs\sysplugins\smarty_security.php

657:                 $directory = preg_replace('#[\\\\/][^\\\\/]+[\\\\/]$#', DIRECTORY_SEPARATOR, $directory);
658:             }
659:         }
660:         // give up
661:         throw new SmartyException(sprintf('Smarty Security: not trusted file path \'%s\' ', $filepath));
662:     }
663: 
664:     /**
665:      * Loads security class and enables security

Backtrace:

[C:\inetpub\wwwroot\[my_website]\forum\vendor\smarty\smarty\libs\sysplugins\smarty_security.php:545] Smarty_Security->_checkDir();
[C:\inetpub\wwwroot\[my_website]\forum\vendor\smarty\smarty\libs\sysplugins\smarty_internal_resource_file.php:33] Smarty_Security->isTrustedResourceDir();
[C:\inetpub\wwwroot\[my_website]\forum\vendor\smarty\smarty\libs\sysplugins\smarty_template_source.php:182] Smarty_Internal_Resource_File->populate();
[C:\inetpub\wwwroot\[my_website]\forum\vendor\smarty\smarty\libs\sysplugins\smarty_internal_template.php:168] Smarty_Template_Source::load();
[C:\inetpub\wwwroot\[my_website]\forum\vendor\smarty\smarty\libs\Smarty.class.php:1028] Smarty_Internal_Template->__construct();
[C:\inetpub\wwwroot\[my_website]\forum\vendor\smarty\smarty\libs\sysplugins\smarty_internal_templatebase.php:189] Smarty->createTemplate();
[C:\inetpub\wwwroot\[my_website]\forum\vendor\smarty\smarty\libs\sysplugins\smarty_internal_templatebase.php:134] Smarty_Internal_TemplateBase->_execute();
[C:\inetpub\wwwroot\[my_website]\forum\library\core\class.smarty.php:146] Smarty_Internal_TemplateBase->display();
[C:\inetpub\wwwroot\[my_website]\forum\library\core\class.controller.php:2232] Gdn_Smarty->render();
[C:\inetpub\wwwroot\[my_website]\forum\library\core\class.controller.php:1595] Gdn_Controller->renderMaster();
[C:\inetpub\wwwroot\[my_website]\forum\library\core\class.pluggable.php:217] Gdn_Controller->xRender();
[C:\inetpub\wwwroot\[my_website]\forum\applications\dashboard\controllers\class.utilitycontroller.php:318] Gdn_Pluggable->__call();
[C:\inetpub\wwwroot\[my_website]\forum\applications\dashboard\controllers\class.utilitycontroller.php:331] UtilityController->legacyUpdate();
[C:\inetpub\wwwroot\[my_website]\forum\library\core\class.dispatcher.php:933] UtilityController->update();
[C:\inetpub\wwwroot\[my_website]\forum\library\core\class.dispatcher.php:335] Gdn_Dispatcher->dispatchController();
[C:\inetpub\wwwroot\[my_website]\forum\index.php:29] Gdn_Dispatcher->dispatch();

Additional information for support personnel:

  • Application: Vanilla
  • Application Version: 2021.012
  • PHP Version: 7.3.18
  • Operating System: WINNT
  • Server Software: Microsoft-IIS/10.0
  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36
  • Request Uri: /[my_website]/forum/utility/update
  • Controller: Smarty_Security
  • Method: _checkDir


I have read the following discussions:

https://open.vanillaforums.com/discussion/comment/263085#Comment_263085

https://open.vanillaforums.com/discussion/comment/262721#Comment_262721

https://github.com/vanilla/vanilla/issues/10936

I have Pretty URL enabled. 'addons' folder exists. And I do not want to just comment out the line throwing the exception as suggested by the Github comment; I'm sure the exception is there for a reason and I want to properly fix the root cause.

My theme is Bittersweet. I have tried for so long to debug the code myself but to no avail - I am not knowledgeable about PHP or Vanilla code base. At this point I'm lost and looking for any help in resolving this error, any insight would be appreciated. I really really want to upgrade and try the new features.

Thank you in advance!

Comments

  • Since this is most probably Windows related, most of us wouldn't be able to assist. I dig into the code and assume I've found which code change broke your forum, but I do not understand why. You can try this as a cleaner hack to solve your, problem, though I'm not sure if this really helps. You need to open the file /library/core/class.smarty.php and find the function render. In that look for the following lines:

               } elseif (!empty($controller->Theme)) {
                   $smarty->setTemplateDir([
                       PATH_THEMES."/{$controller->Theme}/views",
                       PATH_ADDONS_THEMES."/{$controller->Theme}/views",
                   ]);
               }
           }
    

    and simply add one line so that it looks like that

               } elseif (!empty($controller->Theme)) {
                   $smarty->setTemplateDir([
                       PATH_THEMES."/{$controller->Theme}/views",
                       PATH_ADDONS_THEMES."/{$controller->Theme}/views",
                       dirname($path)
                   ]);
               }
    


    Better would be to understand what is going on. If you want to support me understanding this, please add the following lines to the end of that function and post what is shown after you reload the page

               } elseif (!empty($controller->Theme)) {
                   $smarty->setTemplateDir([
                       PATH_THEMES."/{$controller->Theme}/views",
                       PATH_ADDONS_THEMES."/{$controller->Theme}/views",
                   ]);
               }
           }
    decho($path, 'path', true);
    decho(PATH_THEMES."/{$controller->Theme}/views", 'path themes', true);
    decho(PATH_ADDONS_THEMES."/{$controller->Theme}/views", 'path addons themes', true);
    decho(dirname($path), 'dirname path', true);
    die;
    
           $smarty->display($path, null, $compileID);
       }
    

    Note that this will show your file path to everyone looking at your forum as long as this "decho" lines are in your code. For security reasons you shouldn't show hat in a live environment.

    Here on my local test machine the output looks like that

    Line 145 in /library/core/class.smarty.php
    path: /home/rj/Develop/www/vanilla/develop/themes/bittersweet/views/default.master.tpl
    Line 146 in /library/core/class.smarty.php
    path themes: /home/rj/Develop/www/vanilla/develop/themes/bittersweet/views
    Line 147 in /library/core/class.smarty.php
    path addons themes: /home/rj/Develop/www/vanilla/develop/addons/themes/bittersweet/views
    Line 148 in /library/core/class.smarty.php
    dirname path: /home/rj/Develop/www/vanilla/develop/themes/bittersweet/views
    


  • And just so that I do not have to look for it again: if the additional line above solves your problem, this commit broke the functionality: https://github.com/vanilla/vanilla/commit/0d09fd19145b4fae45160c326fad10130b5f6faf#diff-36486c1fdeb6946a81599bebeb1df6d2ee8648ad0ffa93a2bc71b286bf68dab1L161

  • Hi @R_J thank you for helping me again!

    Adding the "decho" lines gave me this:

    Line 152 in \library\core\class.smarty.php
    path: C:\inetpub\wwwroot\[my_website]\forum/applications\dashboard\views\empty.master.tpl
    Line 153 in \library\core\class.smarty.php
    path themes: C:\inetpub\wwwroot\[my_website]\forum/themes/bittersweet/views
    Line 154 in \library\core\class.smarty.php
    path addons themes: C:\inetpub\wwwroot\[my_website]\forum/addons/themes/bittersweet/views
    Line 155 in \library\core\class.smarty.php
    dirname path: C:\inetpub\wwwroot\[my_website]\forum/applications\dashboard\views
    

    (Found one more related post showing the same error, for my own reference:

    https://open.vanillaforums.com/discussion/comment/262721/#Comment_262721 )


    I also tried your suggestion of adding dirname($path) and it worked!! I now get "The update was successful" message, wow! :D

    ...Now, the next trouble (haha) is that I'm seeing totally blank pages everywhere , with the visibility: hidden coming from _richEditorLegacy.scss. Even the "update successful" page itself appears blank, I had to disable the visibility: hidden from the browser dev tools to see any contents.

    I found several people are reporting the exact same issue:

    Unfortunately I can't seem to find a definitive fix for this blank page issue. Looks like some people ended up reverting to 3.3, I may have to do that too if I can't fix it.... and just hope that it's addressed soon and that future versions are more stable.


    Still, thanks to you I'm one step closer - thank you so much for your kindness @R_J ! You're the champ!!

  • FYI I've created an issue on the Github tracker for the body visibility issue: https://github.com/vanilla/vanilla/issues/11086

  • Modifying core css files did the trick for me.

    FYI I didn't have the blank page issue with earlier versions i.e. 2021.009 or .011, it only just appeared with .012 so you wouldn't have to revert all the way back to 3.3.

    If you ask me I would upgrade to .009 bc .011 has another issue with the security settings.

  • Could it be that there is a JavaScript error in the console when there is a blank page displayed?

  • @MichaelTyson Thanks for logging the issue!

    @faumfaum Awesome, I followed your comment in the other post and modified admin.css and style-compat.css. Now contents are showing up. Thank you for pointing me to the right direction! I would have never figured it out alone.

    @R_J I didn't see any JS error, if I'm looking at the correct place in the browser dev tools...


    The next issue I encountered (lol never ending..) is that several pages in the dashboard are coming up blank (dashboard top menu and side menu are still visible, only the main content area is empty). Not all pages, just the following ones:

    • Layout
    • Language Settings
    • Labs
    • API

    Additionally, Branding & SEO page is missing the 'Banner Logo' and 'Mobile Banner Logo' settings for some reason. I wonder if the comments in this post are raising the same issues:

    https://open.vanillaforums.com/discussion/comment/263257/#Comment_263257


    I'm getting quite scared to apply this upgrade to production... It's probably just me doing something wrong, but I've been using Vanilla since 2014 and this feels like the most difficult upgrade I had to do. 😅 Prior to posting my first question I already had to resolve one DB error (which involved converting gdn_media table from MyISAM to InnoDB type - I was stumped for a long time until I finally found the fix). Perhaps I really should wait for future versions... I'm not sure...

    Anyway, thank you everyone who has helped so far! Really appreciate it!

Sign In or Register to comment.