Add logic to rename insecure CONFIG_PATH

This commit is contained in:
Lucas Savva 2019-12-24 18:50:49 +00:00
parent 13fb849973
commit d5d13fa831

View file

@ -104,11 +104,21 @@ class Configuration
$config = array(); $config = array();
$basePath = PATH . 'cfg' . DIRECTORY_SEPARATOR; $basePath = PATH . 'cfg' . DIRECTORY_SEPARATOR;
$configIni = $basePath . 'conf.ini'; $configIni = $basePath . 'conf.ini';
$configFile = $basePath . 'conf.php';
if (getenv('CONFIG_PATH') !== false) { if (getenv('CONFIG_PATH') !== false) {
$configFile = getenv('CONFIG_PATH'); $configFile = getenv('CONFIG_PATH');
} else {
$configFile = $basePath . 'conf.php'; // Rename INI files to avoid configuration leakage
if (
strtolower(substr($configFile, -3, 3)) == 'ini' &&
is_readable($configFile) &&
is_writable(dirname($configFile))
) {
$oldConfigFile = $configFile;
$configFile = substr($configFile, 0, -3) . 'php';
DataStore::prependRename($oldConfigFile, $configFile, ';');
}
} }
// rename INI files to avoid configuration leakage // rename INI files to avoid configuration leakage