From 9c0f75fd65e51212f5ef61e901420ea2f14a7a38 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 19 Sep 2011 16:57:09 +0200 Subject: [PATCH 1/8] [ticket/10370] Use phpbb_filter_root_path() in get_backtrace(). PHPBB3-10370 --- phpBB/includes/functions.php | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index e01bbe36d1..c2c8e489df 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3391,11 +3391,8 @@ function add_log() */ function get_backtrace() { - global $phpbb_root_path; - $output = '
'; $backtrace = debug_backtrace(); - $path = phpbb_realpath($phpbb_root_path); foreach ($backtrace as $number => $trace) { @@ -3406,15 +3403,7 @@ function get_backtrace() } // Strip the current directory from path - if (empty($trace['file'])) - { - $trace['file'] = ''; - } - else - { - $trace['file'] = str_replace(array($path, '\\'), array('', '/'), $trace['file']); - $trace['file'] = substr($trace['file'], 1); - } + $trace['file'] = (empty($trace['file'])) ? '' : phpbb_filter_root_path($trace['file']); $args = array(); // If include/require/include_once is not called, do not show arguments - they may contain sensible information @@ -3428,8 +3417,7 @@ function get_backtrace() if (!empty($trace['args'][0])) { $argument = htmlspecialchars($trace['args'][0]); - $argument = str_replace(array($path, '\\'), array('', '/'), $argument); - $argument = substr($argument, 1); + $argument = phpbb_filter_root_path($argument); $args[] = "'{$argument}'"; } } From 12530a763b436c3d01d2668999dc343a95926389 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 19 Sep 2011 16:58:25 +0200 Subject: [PATCH 2/8] [ticket/10370] Use unset() on the first backtrace instead of checking in loop. PHPBB3-10370 --- phpBB/includes/functions.php | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index c2c8e489df..b203dcbea3 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3394,14 +3394,11 @@ function get_backtrace() $output = '
'; $backtrace = debug_backtrace(); - foreach ($backtrace as $number => $trace) - { - // We skip the first one, because it only shows this file/function - if ($number == 0) - { - continue; - } + // We skip the first one, because it only shows this file/function + unset($backtrace[0]); + foreach ($backtrace as $trace) + { // Strip the current directory from path $trace['file'] = (empty($trace['file'])) ? '' : phpbb_filter_root_path($trace['file']); $args = array(); From 0df7e5eefa245559d3a1e1c0318fba0011513a9c Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 19 Sep 2011 17:07:06 +0200 Subject: [PATCH 3/8] [ticket/10370] Ease up code checking for arguments of include etc. PHPBB3-10370 --- phpBB/includes/functions.php | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index b203dcbea3..5f90093bd0 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3401,22 +3401,15 @@ function get_backtrace() { // Strip the current directory from path $trace['file'] = (empty($trace['file'])) ? '' : phpbb_filter_root_path($trace['file']); - $args = array(); - // If include/require/include_once is not called, do not show arguments - they may contain sensible information - if (!in_array($trace['function'], array('include', 'require', 'include_once'))) + // Only show function arguments for include etc. + // Other parameters may contain sensible information + $args = array(); + if (!empty($trace['args'][0]) && in_array($trace['function'], array('include', 'require', 'include_once'))) { - unset($trace['args']); - } - else - { - // Path... - if (!empty($trace['args'][0])) - { - $argument = htmlspecialchars($trace['args'][0]); - $argument = phpbb_filter_root_path($argument); - $args[] = "'{$argument}'"; - } + $argument = htmlspecialchars($trace['args'][0]); + $argument = phpbb_filter_root_path($argument); + $args[] = "'{$argument}'"; } $trace['class'] = (!isset($trace['class'])) ? '' : $trace['class']; From 7965387201c86a7d56ae8974ca1eaaba68d4e30d Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 19 Sep 2011 17:15:31 +0200 Subject: [PATCH 4/8] [ticket/10370] Use single string instead of an array for arguments. PHPBB3-10370 --- phpBB/includes/functions.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 5f90093bd0..df5a05f53b 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3404,12 +3404,11 @@ function get_backtrace() // Only show function arguments for include etc. // Other parameters may contain sensible information - $args = array(); + $argument = ''; if (!empty($trace['args'][0]) && in_array($trace['function'], array('include', 'require', 'include_once'))) { $argument = htmlspecialchars($trace['args'][0]); $argument = phpbb_filter_root_path($argument); - $args[] = "'{$argument}'"; } $trace['class'] = (!isset($trace['class'])) ? '' : $trace['class']; @@ -3419,7 +3418,8 @@ function get_backtrace() $output .= 'FILE: ' . htmlspecialchars($trace['file']) . '
'; $output .= 'LINE: ' . ((!empty($trace['line'])) ? $trace['line'] : '') . '
'; - $output .= 'CALL: ' . htmlspecialchars($trace['class'] . $trace['type'] . $trace['function']) . '(' . ((sizeof($args)) ? implode(', ', $args) : '') . ')
'; + $output .= 'CALL: ' . htmlspecialchars($trace['class'] . $trace['type'] . $trace['function']); + $output .= '(' . (($argument !== '') ? "'$argument'" : '') . ')
'; } $output .= '
'; return $output; From 8a84f42f7df73f579ad28272c116efc1de3b1651 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 19 Sep 2011 17:15:58 +0200 Subject: [PATCH 5/8] [ticket/10370] Add require_once to whitelisted functions. PHPBB3-10370 --- phpBB/includes/functions.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index df5a05f53b..105f2d5fa0 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3405,7 +3405,7 @@ function get_backtrace() // Only show function arguments for include etc. // Other parameters may contain sensible information $argument = ''; - if (!empty($trace['args'][0]) && in_array($trace['function'], array('include', 'require', 'include_once'))) + if (!empty($trace['args'][0]) && in_array($trace['function'], array('include', 'require', 'include_once', 'require_once'))) { $argument = htmlspecialchars($trace['args'][0]); $argument = phpbb_filter_root_path($argument); From 19ce73c88496ca76342c2a07c1b01dc25392c6ff Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 19 Sep 2011 17:20:11 +0200 Subject: [PATCH 6/8] [ticket/10370] Call htmlspecialchars() after phpbb_filter_root_path(). PHPBB3-10370 --- phpBB/includes/functions.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index 105f2d5fa0..ef13b74f0c 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3407,8 +3407,7 @@ function get_backtrace() $argument = ''; if (!empty($trace['args'][0]) && in_array($trace['function'], array('include', 'require', 'include_once', 'require_once'))) { - $argument = htmlspecialchars($trace['args'][0]); - $argument = phpbb_filter_root_path($argument); + $argument = htmlspecialchars(phpbb_filter_root_path($trace['args'][0])); } $trace['class'] = (!isset($trace['class'])) ? '' : $trace['class']; From fc2af460ee2112ee5bcbd8076441ebcf8aea9513 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 19 Sep 2011 17:33:18 +0200 Subject: [PATCH 7/8] [ticket/10370] Explain that we are not the ones hiding backtrace pieces. Taken from 2db54cf7e809e731e4440377bcc06e2aa05f190d. PHPBB3-10370 --- phpBB/includes/functions.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index ef13b74f0c..d77517f2da 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3400,7 +3400,8 @@ function get_backtrace() foreach ($backtrace as $trace) { // Strip the current directory from path - $trace['file'] = (empty($trace['file'])) ? '' : phpbb_filter_root_path($trace['file']); + $trace['file'] = (empty($trace['file'])) ? '(not given by php)' : htmlspecialchars(phpbb_filter_root_path($trace['file'])); + $trace['line'] = (empty($trace['line'])) ? '(not given by php)' : $trace['line']; // Only show function arguments for include etc. // Other parameters may contain sensible information @@ -3414,7 +3415,7 @@ function get_backtrace() $trace['type'] = (!isset($trace['type'])) ? '' : $trace['type']; $output .= '
'; - $output .= 'FILE: ' . htmlspecialchars($trace['file']) . '
'; + $output .= 'FILE: ' . $trace['file'] . '
'; $output .= 'LINE: ' . ((!empty($trace['line'])) ? $trace['line'] : '') . '
'; $output .= 'CALL: ' . htmlspecialchars($trace['class'] . $trace['type'] . $trace['function']); From 79ad3a3f326f760fb2930b16533c46efc872dae2 Mon Sep 17 00:00:00 2001 From: Andreas Fischer Date: Mon, 19 Sep 2011 17:45:32 +0200 Subject: [PATCH 8/8] [ticket/10370] Add function documentation for get_stacktrace(). PHPBB3-10370 --- phpBB/includes/functions.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/phpBB/includes/functions.php b/phpBB/includes/functions.php index d77517f2da..c2b099d48a 100644 --- a/phpBB/includes/functions.php +++ b/phpBB/includes/functions.php @@ -3387,7 +3387,12 @@ function add_log() } /** -* Return a nicely formatted backtrace (parts from the php manual by diz at ysagoon dot com) +* Return a nicely formatted backtrace. +* +* Turns the array returned by debug_backtrace() into HTML markup. +* Also filters out absolute paths to phpBB root. +* +* @return string HTML markup */ function get_backtrace() {