search

danielmarschall / oidplus

OIDplus 2.0 - An OpenSource online Registration Authority for OIDs and other Object Types
https://www.oidplus.com
Apache License 2.0
10 stars 6 forks source link

Calling *.class.php files causes PHP error #4

Closed danielmarschall closed 1 year ago

danielmarschall commented 1 year ago

Example:

https://..../oidplus/plugins/viathinksoft/auth/A1_phpgeneric_salted_hex/OIDplusAuthPluginPhpGenericSaltedHex.class.php

If PHP outputs errors, the path of the serverfile will be shown => Security risk

In any case, the server error log gets filled with errors.

We probably need to go back to the old behavior of adding a constant "INSIDE_OIDPLUS" and checking if this constant exists??

danielmarschall commented 1 year ago

Joomla does this:

// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects

see https://github.com/joomla/joomla-cms/blob/4.2-dev/components/com_contact/src/Model/FeaturedModel.php

danielmarschall commented 1 year ago

TODO:

  1. Add INSIDE_OIDPLUS in oidplus.inc.php again (Positive side effect: This makes old versions of 3p-plugins work again https://github.com/tushev/uitweaks-oidplus-plugin/blob/main/plugins/tushevorg/publicPages/2000_uitweaks/OIDplusPagePublicUITweaks.class.php#L27 )

  2. Add following line to all *.class.php files (also all 3rd party plugins).

// phpcs:disable PSR1.Files.SideEffects
\defined('INSIDE_OIDPLUS') or die;
// phpcs:enable PSR1.Files.SideEffects
danielmarschall commented 1 year ago

Fixed in SVN Rev 1086