Ticket #1064 (fixed enhancement)
error() function, PUN_DEBUG and security
- Created: 2015-12-07 08:49:20
- Reported by: Visman
- Assigned to: quy
- Milestone: 1.5.10
- Component: security
- Priority: low
Function display full path to the file.
For example:
File: C:\WAMP\www\59\include\dblayer\mysqli_innodb.php
Line: 49
File: /home/healt178/public_html/forum/include/dblayer/mysql.php
Line: 46
I propose to change the function to output only part of the path to the file:
if (defined('PUN_DEBUG') && !is_null($file) && !is_null($line))
{
--->
if (defined('PUN_DEBUG') && !is_null($file) && !is_null($line))
{
$arr_f = explode('/', trim(str_replace('\\', '/', $file), '/ '));
while(substr($arr_f[0], -4) !== '.php' && !in_array($arr_f[0], array('addons', 'include', 'plugins')))
array_shift($arr_f);
$file = implode('/', $arr_f);
Result:
File: include/dblayer/mysqli_innodb.php
Line: 49
File: include/dblayer/mysql.php
Line: 46
History

This is why I suggested displaying debug info to admins only.
Visman, will this work??
replace in the echo statement:
$file
with:
str_replace(getcwd(), '', $file)
Franz 2015-12-10 19:37:28

Can't we use PUN_ROOT for cutting off the beginning? That should be an absolute path now (at least when combined with the realpath method).

On Windows, the ending slash is a forward slash in PUN_ROOT.
C:\xampp\htdocs\fluxbb/
Thus, it won't work until it is replaced with a backslash.
str_replace(str_replace('/', '\\', PUN_ROOT), '', $file)
Visman 2015-12-11 03:55:02

@quy, getcwd() work in UwAmp (Windows):
C:\WAMP\www\59\include\dblayer\mysqli_innodb.php
-->
\include\dblayer\mysqli_innodb.php
but (http://php.net/manual/en/function.getcwd.php)
On some Unix variants, getcwd() will return FALSE if any one of the parent directories does not have the readable or search mode set, even if the current directory does. See chmod() for more information on modes and permissions.
and work
$file = str_replace(str_replace('\\', '/', PUN_ROOT), '', str_replace('\\', '/', $file));
Franz 2015-12-11 08:18:01

What if we do realpath(PUN_ROOT)? That should resolve all dots in the path and also unify the slashes, if I'm not mistaken.