Fork me on GitHub
Subscribe 4

Ticket #1064 (fixed enhancement)

error() function, PUN_DEBUG and security

  • Created: 2015-12-07 08:49:20
  • Reported by: Visman
  • Assigned to: quy
  • Milestone: 1.5.10
  • Component: security
  • Priority: low

Function display full path to the file.
For example:

File: C:\WAMP\www\59\include\dblayer\mysqli_innodb.php
Line: 49
File: /home/healt178/public_html/forum/include/dblayer/mysql.php
Line: 46

I propose to change the function to output only part of the path to the file:

	if (defined('PUN_DEBUG') && !is_null($file) && !is_null($line))
	{

--->

	if (defined('PUN_DEBUG') && !is_null($file) && !is_null($line))
	{
		$arr_f = explode('/', trim(str_replace('\\', '/', $file), '/ '));
		while(substr($arr_f[0], -4) !== '.php' && !in_array($arr_f[0], array('addons', 'include', 'plugins')))
		  array_shift($arr_f);

		$file = implode('/', $arr_f);

Result:

File: include/dblayer/mysqli_innodb.php
Line: 49
File: include/dblayer/mysql.php
Line: 46

History

Franz 2015-12-07 20:38:04

  • Milestone set to 1.5.10.

adaur 2015-12-08 11:04:45

I agree, we shouldn't disclose path.

quy 2015-12-10 18:42:34

This is why I suggested displaying debug info to admins only.

Visman, will this work??
replace in the echo statement:

$file

with:

str_replace(getcwd(), '', $file)

Franz 2015-12-10 19:37:28

Can't we use PUN_ROOT for cutting off the beginning? That should be an absolute path now (at least when combined with the realpath method).

quy 2015-12-10 20:10:51

On Windows, the ending slash is a forward slash in PUN_ROOT.

C:\xampp\htdocs\fluxbb/

Thus, it won't work until it is replaced with a backslash.

str_replace(str_replace('/', '\\', PUN_ROOT), '', $file)

Visman 2015-12-11 03:55:02

@quy, getcwd() work in UwAmp (Windows):

C:\WAMP\www\59\include\dblayer\mysqli_innodb.php

-->

\include\dblayer\mysqli_innodb.php

but (http://php.net/manual/en/function.getcwd.php)

On some Unix variants, getcwd() will return FALSE if any one of the parent directories does not have the readable or search mode set, even if the current directory does. See chmod() for more information on modes and permissions.

and work

$file = str_replace(str_replace('\\', '/', PUN_ROOT), '', str_replace('\\', '/', $file));

Franz 2015-12-11 08:18:01

What if we do realpath(PUN_ROOT)? That should resolve all dots in the path and also unify the slashes, if I'm not mistaken.

quy 2015-12-12 00:19:36

Both solutions work with the following differences:

Franz: output has a leading slash and displays back/forward slashes accordingly per OS.
Visman: output has no leading slash and displays forward slashes for both OSes.

Which do you prefer?

quy 2015-12-28 21:48:20

  • Owner set to quy.

quy 2016-01-17 15:33:02

Commit de08e2d to fluxbb 1.5-next

#1064 Hide full path to file in error message

Franz 2016-01-17 17:38:26

Commit 56cfed5 to fluxbb 1.5-next

Merge pull request #192 from Quy/1064-fullpath

#1064 Hide full path to file in error message

quy 2016-01-17 18:39:43

  • Status changed from open to fixed.

quy 2016-06-16 07:53:51

Commit 04df5a4 to fluxbb master

#1064 Hide full path to file in error message