Our internal SugarCRM system recently encountered an issue in the Module Loader screen. The screen was mysteriously blank when I went to upload a customization. Even more mysterious, the SugarCRM and Apache logs were completely void of anything helpful.
There are a few topics in the SugarCRM forums indicating that others have this issue, and the only connecting factor seemed to be that several of the hosts were Debian Squeeze. That didn’t mean much to me in the moment, but after checking our host’s /var/logs/syslog, I found suhosin errors.
Apr 24 01:06:20 SugarCRM suhosin: ALERT – Include filename (‘upload://upgrades/patch/SugarEnt-Upgrade-6.3.x-to-6.4.2-manifest.php’) is an URL that is not allowed (attacker ’192.168.0.151′, file ‘/var/www/sugar/ModuleInstall/PackageManager/PackageManager.php’, line 663)
That line is referencing one of several old upgrade manifests, but using the upload:// prefix that, I suspected, ought to have been parsed and replaced with something like /var/www/sugar/. Then I remembered a singular forum post which ultimately directed me to a technical blog, Spam Collect, Fixed! – SugarCRM – Module Loader blank page after installing module. This directed to a minor change at line 668 of ModuleInstall/PackageManager/PackageManager.php, which was awfully close to where my error message directed me. I found the indicated line at 662, but changing this
$target_manifest = remove_file_extension( $upgrade_content ) . '-manifest.php';
$target_manifest = UploadFile::realpath(remove_file_extension( $upgrade_content ) . '-manifest.php');
proved to solve the problem.
Later, when running an upgrade on the same system, I found the same issue and fix worked for the Upgrade Wizard. Apply the same change to the similar code block in modules/UpgradeWizard/uw_utils.php at around line 821.