CRM attempts to store data in invalid path #47440
Description
Impacted plugin
CRM
Quick summary
CRM stores data in wp-content/jpcrm-storage via jpcrm_storage_dir_info() in a very weird and odd manner.
This causes three main issues:
- wp-content is often not writable, other than wp-content/uploads, when running in multi-server environments (ie. WordPress.com, WordPress.org, etc)
- It throws PHP Warnings constantly, because the code is.. questionable..
- Functionality probably doesn't work
jetpack/projects/plugins/crm/includes/ZeroBSCRM.FileUploads.php
Lines 426 to 441 in d8ebece
$uploads_dirand$uploads_urlwill always pass the! empty()check.- This is Content URLs, not the upload directory.
- no file_exists() checks, no is_writable() checks, no validation logic what-so-ever (which based on the logic, seems to be intended to go in other functions that use this result)
- No filter, so I can't even put it into the writable uploads directory.
- There's some notion of "Private" here, but it's not exactly a hidden folder, I note
jpcrm_create_and_secure_dir_from_external_access()does attempt to hide it though, and it seems files created should have hash-based filenames.
Warnings generated include, but are not limited to:
- fopen(wp-content/jpcrm-storage/contacts/index.html): Failed to open stream: No such file or directory
- fopen(wp-content/plugins/zero-bs-crm/templates/index.html): Failed to open stream: Permission denied
- chmod(): No such file or directory
- mkdir(): Permission denied
Steps to reproduce
- Create a site, with an unwritable wp-content.
- Try to use the plugin
- Watch and wait.
Site owner impact
Fewer than 20% of the total website/platform users
Severity
Critical
What other impact(s) does this issue have?
No response
If a workaround is available, please outline it here.
No response
Platform (Simple and/or Atomic)
No response