Chapril/paste.chapril.org-privatebin
Chapril/paste.chapril.org-privatebin
25
1
Fork 0
Code Issues Releases Wiki Activity

Add logic to rename insecure CONFIG_PATH

Browse Source
This commit is contained in:
Lucas Savva 2019-12-24 18:50:49 +00:00
parent 13fb849973
commit d5d13fa831
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lib/Configuration.php
View File

@ -104,11 +104,21 @@ class Configuration
$config = array();
$basePath = PATH . 'cfg' . DIRECTORY_SEPARATOR;
$configIni = $basePath . 'conf.ini';
$configFile = $basePath . 'conf.php';
if (getenv('CONFIG_PATH') !== false) {
$configFile = getenv('CONFIG_PATH');
} else {
$configFile = $basePath . 'conf.php';
// Rename INI files to avoid configuration leakage
if (
strtolower(substr($configFile, -3, 3)) == 'ini' &&
is_readable($configFile) &&
is_writable(dirname($configFile))
) {
$oldConfigFile = $configFile;
$configFile = substr($configFile, 0, -3) . 'php';
DataStore::prependRename($oldConfigFile, $configFile, ';');
}
}
// rename INI files to avoid configuration leakage