Menu
▾
▴
[mxbb-commits] core/install mx_install.php,1.40,1.41
|
From: Markus P. <mar...@us...> - 2005-04-09 16:21:54
|
Update of /cvsroot/mxbb/core/install In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv16739 Modified Files: mx_install.php Log Message: Fixed problems when the PHP function realpath() has been disabled. Yeah, it seems it happens on some servers such as Lycos. Just wanted to mention what they try to avoid is, IMHO, useless. Also they have introduced a path disclosure vulnerability with the warning message PHP generates when an application tried to use the realpath function (without @ of course). :p Index: mx_install.php =================================================================== RCS file: /cvsroot/mxbb/core/install/mx_install.php,v retrieving revision 1.40 retrieving revision 1.41 diff -C2 -d -r1.40 -r1.41 *** mx_install.php 6 Apr 2005 06:35:00 -0000 1.40 --- mx_install.php 9 Apr 2005 16:21:44 -0000 1.41 *************** *** 702,706 **** $document_root = './'; } ! $document_root = str_replace('\\', '/', realpath($document_root)); // --- 702,706 ---- $document_root = './'; } ! $document_root = str_replace('\\', '/', mx_realpath($document_root)); // *************** *** 742,746 **** // Let's see whether we have read access to our parent directory // ! $parent_path = realpath($mx_absolute_path.'../'); if( is_readable($parent_path) ) { --- 742,746 ---- // Let's see whether we have read access to our parent directory // ! $parent_path = mx_realpath($mx_absolute_path.'../'); if( is_readable($parent_path) ) { *************** *** 1686,1688 **** --- 1686,1710 ---- } + // + // FYI: This is our easy workaround to the PHP realpath function, which might be disabled + // on some servers (Lycos and maybe others) ...they say it's for "security" reasons, heh. + // + // When the PHP realpath function is disabled it returns false and generates a message like: + // + // Warning: realpath (and maybe other functions) has been disabled for security reasons in + // path-to-your/install/mx_install.php on line XXX + // + // This "security" measure seems somehow stupid since information of the filesystem layout + // can be easily retrieved from PHP (and Apache) global variables ...as well as from the + // same PHP generated warning message! :P + // + // Just wanted to mention I already saw the phpBB guys also created their own phpbb_realpath + // function (in includes/functions.php). I never understood why they did it. Only if they + // had documented the correct reason in their source code. ;-) + // + function mx_realpath($path) + { + return ( @function_exists('realpath') && @realpath(__FILE__) ? realpath($path) : $path ); + } + ?> \ No newline at end of file |
