From: Jerome Jutteau Date: Thu, 19 Nov 2020 20:50:31 +0000 (+0100) Subject: [BUGFIX] disable php error reporting by default X-Git-Tag: 4.2.0~11 X-Git-Url: https://git.p6c8.net/jirafeau.git/commitdiff_plain/9d77c0fe903db4f4ab2e3c6b5d5fc956f58c227d?ds=sidebyside [BUGFIX] disable php error reporting by default wrong permission configuration migth trigger error or warning message leaking location of var-folder. ref #238 Signed-off-by: Jerome Jutteau --- diff --git a/README.md b/README.md index 37fdfc7..3cebad5 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,7 @@ If you have some troubles, consider the following cases - Check your ```/lib/config.local.php``` file and compare it with ```/lib/config.original.php```, the configuration syntax or a parameter may have changed - Check owner & permissions of your files +- set `debug` option to `true` to check any warning or error ## Security diff --git a/lib/config.original.php b/lib/config.original.php index f522944..f1f0368 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -180,3 +180,10 @@ $cfg['litespeed_workaround'] = false; * or needs to start the installation script */ $cfg['installation_done'] = false; + +/* Enable this debug flag to allow eventual PHP error reporting. + * This is disabled by default permission misconfiguration might generate warnings or errors. + * Those warnings can break Jirafeau and also show path to var- folder in debug messages. + * var- folder should kept secret and accessing it may lead to data leak if unprotected. + */ +$cfg['debug'] = false; diff --git a/lib/settings.php b/lib/settings.php index 9bccc86..c520412 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -29,6 +29,13 @@ if (file_exists(JIRAFEAU_ROOT . 'lib/config.local.php')) { unset($cfgOriginal); } +// Setup debug mode +error_reporting(0); +if ($cfg['debug'] === true) +{ + error_reporting(E_ALL); +} + // Set constants /* Jirafeau package */