From: demeritcowboy Date: Thu, 20 Jul 2023 19:28:14 +0000 (-0400) Subject: add explanatory comment X-Git-Url: https://vcs.fsf.org/?a=commitdiff_plain;h=73764a5de7f81854d90b696a01675cd032948933;p=civicrm-core.git add explanatory comment --- diff --git a/CRM/Utils/Check/Component/Security.php b/CRM/Utils/Check/Component/Security.php index d23e5689e4..0605cdb40c 100644 --- a/CRM/Utils/Check/Component/Security.php +++ b/CRM/Utils/Check/Component/Security.php @@ -414,6 +414,12 @@ class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component { return FALSE; } + // Since this can be confusing as to how this works: + // $url corresponds to $dir not $file, but we're not checking if we can + // retrieve $file, we're checking if retrieving $url gives us a LISTING of + // the files in $dir. So $content is that listing, and then the stristr + // is checking if $file, which is the bare filename (e.g. "delete-this-123") + // is contained in that listing (which would be undesirable). $content = ''; try { $response = (new \GuzzleHttp\Client())->request('GET', $url, [