Usually various kinds of actions try to close internal errors. I will give a primitive example, so that the essence of the question is clearer.

$rand = rand(0, 1); if ($rand == 1) $arr = ['a', 'b', 'c']; printElements($arr); function printElements(array $array) { foreach ($array as $value) echo "$value<br/>"; }

In this case, if $rand is 1 , the script will run without errors. If 0 , the user in the browser will see something in the spirit

Fatal error : Uncaught TypeError: Argument 1 passed to printElements (), it is called inpath/path/to/my/project/dir/index.php on line 5 and defined in / path / to / my / project / dir / index.php: 12 Stack trace: # 0 /path/to/my/project/dir/index.php(5): printElements (NULL) # 1 {main} thrown in / path / to / my / project / dir / index.php on line 12.

Now he knows the absolute path to the file, its name, the name of the class (if any) and the method in which the exception occurred.

Such errors are caught with the help of the normal try...catch code , this is clear.

Actually, the question. Do I need to hard to catch errors that give absolute paths to files? What can this threaten in terms of security? How critical is it and how can intruders take advantage of it?

    2 answers 2

    In itself, disclosing the full path is a “flaw” rather than a dangerous vulnerability.

    But it is very important to understand that many of the critical vulnerabilities of a particular system are made up of the totality of the flaws present . Such shortcomings can be relatively harmless by themselves, but, in combination with each other, lead to sad consequences.

    For example, the disclosure of absolute paths makes cases with LFI or SQL injections more dangerous by several orders of magnitude (we use load_file). After all, now you do not need to guess the paths: knowing the location of the files will allow you to unload the source code of the application, download user files, and perhaps even get a shell on the attacked server.

    In principle, one can imagine the cases where between the vulnerability with a relatively small impact and full server control is exactly the full path disclosure .

      And why on the prod exception show?

      You should catch them for example through the set_exception_handler function:

       set_exception_handler(function($exception) { echo "Текст ошибки: " , $exception->getMessage(), "\n"; });

      Now users will see just what happened, and you should log the trace and watch what happened on the logs.

      • There are plenty of ways to hide errors - from the ubiquitous checks of the validity of the data and ending with the example given by you, but my question was how safe it is to shine in absolute ways . What can happen if someone sees such details? - nikitar
      • @nikitar, it depends on who sees, in any case, this is bad for the site and the relationship to it. - Yaroslav Molchan