From 9d77c0fe903db4f4ab2e3c6b5d5fc956f58c227d Mon Sep 17 00:00:00 2001 From: Jerome Jutteau Date: Thu, 19 Nov 2020 21:50:31 +0100 Subject: [PATCH 1/1] [BUGFIX] disable php error reporting by default wrong permission configuration migth trigger error or warning message leaking location of var-folder. ref #238 Signed-off-by: Jerome Jutteau --- README.md | 1 + lib/config.original.php | 7 +++++++ lib/settings.php | 7 +++++++ 3 files changed, 15 insertions(+) diff --git a/README.md b/README.md index 37fdfc7..3cebad5 100644 --- a/README.md +++ b/README.md @@ -80,6 +80,7 @@ If you have some troubles, consider the following cases - Check your ```/lib/config.local.php``` file and compare it with ```/lib/config.original.php```, the configuration syntax or a parameter may have changed - Check owner & permissions of your files +- set `debug` option to `true` to check any warning or error ## Security diff --git a/lib/config.original.php b/lib/config.original.php index f522944..f1f0368 100644 --- a/lib/config.original.php +++ b/lib/config.original.php @@ -180,3 +180,10 @@ $cfg['litespeed_workaround'] = false; * or needs to start the installation script */ $cfg['installation_done'] = false; + +/* Enable this debug flag to allow eventual PHP error reporting. + * This is disabled by default permission misconfiguration might generate warnings or errors. + * Those warnings can break Jirafeau and also show path to var- folder in debug messages. + * var- folder should kept secret and accessing it may lead to data leak if unprotected. + */ +$cfg['debug'] = false; diff --git a/lib/settings.php b/lib/settings.php index 9bccc86..c520412 100644 --- a/lib/settings.php +++ b/lib/settings.php @@ -29,6 +29,13 @@ if (file_exists(JIRAFEAU_ROOT . 'lib/config.local.php')) { unset($cfgOriginal); } +// Setup debug mode +error_reporting(0); +if ($cfg['debug'] === true) +{ + error_reporting(E_ALL); +} + // Set constants /* Jirafeau package */ -- 2.34.1