> > Feature (closed)

fix the error-output to write a valid php-file


Nov 12, 2006
Apr 15, 2012
Nov 12, 2006 / pixtur
Apr 15, 2012 / pixtur

Attached files

No files uploaded
Viewing the _tmp/errors.inc.php file (because it's not a valid php-file) it security critical, because too many sensitive information is stored there.


binder:just add a header to starting page?

11 years ago

errors.inc.php is supposed to be opened with a text editor, so just add in the first line of the file:
<? header("Location: index.php");exit ?>

madlyr:This file is viewable by system info page

11 years ago

This file is viewable by system info page and should have:
  1. proper user authentication checking (only admins could see this page, I'm not sure, maybe PM managers too),
  2. proper header with code page (currently this page does not have any header) - based on person language (we use utf-8).

binder:Antwort auf This file is viewable by system info page

11 years ago

yes, but not "as is", error.inc.php is parsed and then shown?

but of course, the best solution would be to add a right management to this file, too.

pixtur:Partly implemented...

11 years ago

The "system info" and the errors.log page is only accessible for Admins. The structure of the file itself will be changed into a valid php file.

Doing any more right checks would be too much of an effort. Adding an valid header to the file... Well... I mean... The error.log parsing is already... well... I mean it's just a fucking log file!

I will fix the readability by:
  • adding <?php at the beginning
  • starting all lines with #
That's it. I think we have a lot more to do than adding a valid header to the errors.log file ;-)

madlyr:Reply to Partly implemented...

11 years ago

put onlu utf-8 without getting it from user, some text/user names are stored in log in utf-8. Please :-) ;-).

binder:didn't want to make any trouble

11 years ago

but adding the code in my first comment just sends the browser to the starting page. Thus users without mod_rewrite don't get exposed to this kind of security hole. And all you have to do is skip first line with parsing for admin-info...

pixtur:Overlooked location header...

11 years ago

Hi Binder,
agreed. You solution is better. I will do it, as you suggested. Thanks for pointing it out again.