sec(Utils) Sensitive Data Exposure: file path

tsolucio · Oct 31, 2021 · c05cdd5 · c05cdd5
1 parent 4441365
commit c05cdd5
Showing 1 changed file with 14 additions and 11 deletions.
diff --git a/include/utils/CommonUtils.php b/include/utils/CommonUtils.php
@@ -3306,11 +3306,11 @@ function checkFileAccessForInclusion($filepath) {
 			echo '<pre>';
 			debug_print_backtrace();
 			echo '</pre>';
+			echo 'We are looking for this file path: '.htmlspecialchars($filepath, ENT_QUOTES, $default_charset).'<br>';
+			echo 'We are looking here:<br> Real file path: '.htmlspecialchars($realfilepath, ENT_QUOTES, $default_charset).'<br>';
+			echo 'Root dir path: '.htmlspecialchars($rootdirpath, ENT_QUOTES, $default_charset).'<br>';
 		}
-		echo 'Sorry! Attempt to access restricted file.<br>';
-		echo 'We are looking for this file path: '.htmlspecialchars($filepath, ENT_QUOTES, $default_charset).'<br>';
-		echo 'We are looking here:<br> Real file path: '.htmlspecialchars($realfilepath, ENT_QUOTES, $default_charset).'<br>';
-		echo 'Root dir path: '.htmlspecialchars($rootdirpath, ENT_QUOTES, $default_charset).'<br>';
+		echo 'Attempt to access restricted file.';
 		die();
 	}
 }
@@ -3341,20 +3341,23 @@ function checkFileAccessForDeletion($filepath) {
 
 	if (stripos($realfilepath, $rootdirpath) !== 0 || !in_array($filePathParts[0], $safeDirectories)) {
 		global $default_charset;
-		echo 'Sorry! Attempt to access restricted file.<br>';
-		echo 'We are looking for this file path: '.htmlspecialchars($filepath, ENT_QUOTES, $default_charset).'<br>';
-		echo 'We are looking here:<br> Real file path: '.htmlspecialchars($realfilepath, ENT_QUOTES, $default_charset).'<br>';
-		echo 'Root dir path: '.htmlspecialchars($rootdirpath, ENT_QUOTES, $default_charset).'<br>';
+		if (GlobalVariable::getVariable('Debug_Access_Restricted_File', 0)) {
+			echo '<pre>';
+			debug_print_backtrace();
+			echo '</pre>';
+			echo 'We are looking for this file path: '.htmlspecialchars($filepath, ENT_QUOTES, $default_charset).'<br>';
+			echo 'We are looking here:<br> Real file path: '.htmlspecialchars($realfilepath, ENT_QUOTES, $default_charset).'<br>';
+			echo 'Root dir path: '.htmlspecialchars($rootdirpath, ENT_QUOTES, $default_charset).'<br>';
+		}
+		echo 'Attempt to access restricted file.';
 		die();
 	}
 }
 
 /** Function to check the file access is made within web root directory. */
 function checkFileAccess($filepath) {
 	if (!isInsideApplication($filepath)) {
-		global $default_charset;
-		echo 'Sorry! Attempt to access restricted file.<br>';
-		echo 'We are looking for this file path: '.htmlspecialchars($filepath, ENT_QUOTES, $default_charset).'<br>';
+		echo 'Attempt to access restricted file.<br>';
 		die();
 	}
 }