Kanboard 1.2.47 bugged on windows upload

Hi,

Kinda new here. I’ve been trying to configure kanboard for 4 days, and I’ve reached the conclussion that version 1.2.47 is bugged on windows uploads/removes.

I’ve tested the path check on windows, unassembling the FileModel.php, on line:

$this->objectStorage->moveUploadedFile($file[‘tmp_name’], $destination_filename);

Manually bypassing parameters result on code working (sometimes, not sure why)

I’ve tried to open a bug in the git, but the access is limited and i’ve lost my old github account.

EVIDENCE:

[Wed Aug 20 08:57:18.913773 2025] [php:notice] [pid 1600:tid 1128] [client 127.0.0.1:51315] [error] File is not in base directory: /C:\Apache24\htdocs\kanboard/C:/Apache24/htdocs/kanboard/data/files/tasks/1/02be7446fb459cdb8d37b8b3b11d7566a7a3ffcc

CONFIG:

define(‘TMP_DIR’, DIR.DIRECTORY_SEPARATOR.‘data’.DIRECTORY_SEPARATOR.‘tmp’);

MANUAL TEST ON PERMISSIONS:

<?php $targetDir = __DIR__ . '/kanboard/data/files/'; if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (move_uploaded_file($_FILES['file']['tmp_name'], $targetDir.'test_upload.txt')) { echo 'Success!!'; } else { echo 'ERROR!!'; } } else { <?php }?>

This test works, all windows permissions given.

Same configuration goes well for 1.2.46. Once I installed version 1.2.46, the problem is solved.

Also, changelog:

• fix: sanitize and validate uploaded files path

This may require a hotfix, because it disables completely all the configuration related to files.

I’ve tried upload, removal, and avatars. All they fail with 47 and work with the same configuration on 46.

Can you please take a look?

Cheers.

I have no TMP_DIR definition in my configs. You might be wrong here.

Also, check your open_basedir setting in PHP.

I tried it several times with and without the parameter.

The important red flag here is that this configuration (same php, same apache, same tmp path, same permissions) works with 1.2.46. Mean, you deploy kanboard and kanboard2, and switch them, and only 47 crashes. Also, I’ve debugged the path inside application and 47 do not work while moving or deleting files.

I’ve tested that in two different environments (work and home) and it fails in them both. 46, works in both also.

And it is indicated that the path was sanitized on the changelog, what raises a second red flag.

Thanks for the reply!

OK, I see. I cannot say much regarding Kanboard on Windows; all my installations are on Linux machines, and they don’t show the issue described here.

With a brief debugging session, I could spot your issue, I think.

It’s in function sanitize_path at app/functions.php:317.

Here the $path already contains the absolute file path, but no leading ‘/’. Preceding it with a cwd ends up in a bad filename. Clearly wrong, IMHO.

You can try to omit the cwd; simply add a leading ‘/’, nothing else. But I don’t know if this will break other uses of the function. It’s your own risk.

Please keep in mind that I checked this on a Linux system, not with real Windows paths.

Thanks for sharing, I’ll give it a try after holidays.

I’ve installed version 46 for the moment, but my main intention with this thread was to report a possible issue in order to help the devs ans community.

Probably, a nice hotfix could solve the problem if someone of the dev team can double check this on windows.

Hope the clues help for a future release/fix =)

I have to say that my teammates are quite impressed with kanboard and they are asking me about when is going to be live.

Thanks for the help!!