Kanboard 1.2.47 bugged on windows upload

Hi,

Kinda new here. I’ve been trying to configure kanboard for 4 days, and I’ve reached the conclussion that version 1.2.47 is bugged on windows uploads/removes.

I’ve tested the path check on windows, unassembling the FileModel.php, on line:

$this->objectStorage->moveUploadedFile($file[‘tmp_name’], $destination_filename);

Manually bypassing parameters result on code working (sometimes, not sure why)

I’ve tried to open a bug in the git, but the access is limited and i’ve lost my old github account.

EVIDENCE:

[Wed Aug 20 08:57:18.913773 2025] [php:notice] [pid 1600:tid 1128] [client 127.0.0.1:51315] [error] File is not in base directory: /C:\Apache24\htdocs\kanboard/C:/Apache24/htdocs/kanboard/data/files/tasks/1/02be7446fb459cdb8d37b8b3b11d7566a7a3ffcc

CONFIG:

define(‘TMP_DIR’, DIR.DIRECTORY_SEPARATOR.‘data’.DIRECTORY_SEPARATOR.‘tmp’);

MANUAL TEST ON PERMISSIONS:

<?php $targetDir = __DIR__ . '/kanboard/data/files/'; if ($_SERVER['REQUEST_METHOD'] === 'POST') { if (move_uploaded_file($_FILES['file']['tmp_name'], $targetDir.'test_upload.txt')) { echo 'Success!!'; } else { echo 'ERROR!!'; } } else { <?php }?>

This test works, all windows permissions given.

Same configuration goes well for 1.2.46. Once I installed version 1.2.46, the problem is solved.

Also, changelog:

• fix: sanitize and validate uploaded files path

This may require a hotfix, because it disables completely all the configuration related to files.

I’ve tried upload, removal, and avatars. All they fail with 47 and work with the same configuration on 46.

Can you please take a look?

Cheers.

I have no TMP_DIR definition in my configs. You might be wrong here.

Also, check your open_basedir setting in PHP.

I tried it several times with and without the parameter.

The important red flag here is that this configuration (same php, same apache, same tmp path, same permissions) works with 1.2.46. Mean, you deploy kanboard and kanboard2, and switch them, and only 47 crashes. Also, I’ve debugged the path inside application and 47 do not work while moving or deleting files.

I’ve tested that in two different environments (work and home) and it fails in them both. 46, works in both also.

And it is indicated that the path was sanitized on the changelog, what raises a second red flag.

Thanks for the reply!

OK, I see. I cannot say much regarding Kanboard on Windows; all my installations are on Linux machines, and they don’t show the issue described here.

With a brief debugging session, I could spot your issue, I think.

It’s in function sanitize_path at app/functions.php:317.

Here the $path already contains the absolute file path, but no leading ‘/’. Preceding it with a cwd ends up in a bad filename. Clearly wrong, IMHO.

You can try to omit the cwd; simply add a leading ‘/’, nothing else. But I don’t know if this will break other uses of the function. It’s your own risk.

Please keep in mind that I checked this on a Linux system, not with real Windows paths.

Thanks for sharing, I’ll give it a try after holidays.

I’ve installed version 46 for the moment, but my main intention with this thread was to report a possible issue in order to help the devs ans community.

Probably, a nice hotfix could solve the problem if someone of the dev team can double check this on windows.

Hope the clues help for a future release/fix =)

I have to say that my teammates are quite impressed with kanboard and they are asking me about when is going to be live.

Thanks for the help!!

I’m having the same issues (on Windows 10) and tried this fix and it didn’t work.

No matter what you set, at this point the code will prefix a slash :

$normalized = ‘/’ . implode(‘/’, $resolved);

It’s almost like the whole function should be ignored unless there is an issue with the path already.

i.e. I drop an exit; near the top of the sub and everything works hunky dory.

Note version 1.2.46 and 1.2.47 both have this new ‘sanitize_path’ function. Pre 1.2.46 I have no problems uploading files. I’m staying on 1.2.45 until this is fixed

I tried with 1.2.46, and did work for me. As I understand It is reasonable to keep your version in a functional one, 46 is not working for you either?

I successfully deployed it on my test server without problem.

I didn’t try 1.2.46 but I checked the code and the ‘sanitize_path’ function that seems to be causing the path problem is exactly the same as 1.2.47

I’m on Windows 10, and my paths were getting an added ‘/’ to the front of them, so c:/path_to_whatever would end up being /c:/path_to_whatever

Hi there we got a working fix for now, dont know about side effects though…

replace in in functions.php → sanitize_path():

// Checks only POSIX-Style 
if ($path\[0\] !== '/') {
    $path = getcwd() . '/' . $path;
}

with:

// Respects Windows and Linux
if (!preg_match('#^(?:[A-Za-z]:/|/)#', $path)) {
    $path = getcwd() . '/' . $path;
}

in case of Windows you still need to change this, to rid of the leading / and the wrong path seperator:

// from
 $normalized = '/' . implode('/', $resolved);
// to
 $normalized = implode('\\', $resolved);

have a nice kanborad

I can confirm this fixed worked for me
On Windows 10, Kanboard 1.2.47 , PHP 8.2.0

Huzzah!!!

I also run Kanboard 1.2.47 on Ubuntu 24, and have not had this issue.