From 73764a5de7f81854d90b696a01675cd032948933 Mon Sep 17 00:00:00 2001
From: demeritcowboy <demeritcowboy@hotmail.com>
Date: Thu, 20 Jul 2023 15:28:14 -0400
Subject: [PATCH] add explanatory comment

---
 CRM/Utils/Check/Component/Security.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CRM/Utils/Check/Component/Security.php b/CRM/Utils/Check/Component/Security.php
index d23e5689e4..0605cdb40c 100644
--- a/CRM/Utils/Check/Component/Security.php
+++ b/CRM/Utils/Check/Component/Security.php
@@ -414,6 +414,12 @@ class CRM_Utils_Check_Component_Security extends CRM_Utils_Check_Component {
       return FALSE;
     }
 
+    // Since this can be confusing as to how this works:
+    // $url corresponds to $dir not $file, but we're not checking if we can
+    // retrieve $file, we're checking if retrieving $url gives us a LISTING of
+    // the files in $dir. So $content is that listing, and then the stristr
+    // is checking if $file, which is the bare filename (e.g. "delete-this-123")
+    // is contained in that listing (which would be undesirable).
     $content = '';
     try {
       $response = (new \GuzzleHttp\Client())->request('GET', $url, [
-- 
2.25.1