refactor(htdocs): use http_response_code(404) for direct-access guards#1688
Merged
mambax7 merged 18 commits intoXOOPS:masterfrom Apr 6, 2026
Merged
refactor(htdocs): use http_response_code(404) for direct-access guards#1688mambax7 merged 18 commits intoXOOPS:masterfrom
mambax7 merged 18 commits intoXOOPS:masterfrom
Conversation
Replace legacy manual 404 status-line headers under /htdocs with http_response_code(404), including simple index.php direct-access guards, request handlers that return 404, and the code paths that generate new guard files. This removes hardcoded HTTP/1.0 and HTTP/1.1 status lines, drops redundant "Status: 404 Not Found" headers, and lets PHP emit the correct response status for the active SAPI.
|
Important Review skippedToo many files! This PR contains 300 files, which is 150 over the limit of 150. ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (300)
You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## master #1688 +/- ##
=============================================
+ Coverage 0 19.22% +19.22%
- Complexity 0 7584 +7584
=============================================
Files 0 621 +621
Lines 0 40091 +40091
=============================================
+ Hits 0 7709 +7709
- Misses 0 32382 +32382 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
Refactors /htdocs direct-access guards and 404-returning code paths to use http_response_code(404) instead of emitting hard-coded HTTP status-line headers.
Changes:
- Replaced legacy
header('HTTP/1.0|1.1 404 Not Found')guards across manyindex.phpfiles withhttp_response_code(404). - Updated request handlers that return 404 (e.g.,
browse.php,misc.php,image.php) to usehttp_response_code(404). - Updated guard-file generation code paths to write
http_response_code(404)into newly createdindex.phpfiles.
Reviewed changes
Copilot reviewed 300 out of 542 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| htdocs/modules/system/css/code_mirror/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/class/maintenance.php | Write http_response_code(404) into generated index.php guard files. |
| htdocs/modules/system/class/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/blocks/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/users/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/userrank/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/tplsets/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/smilies/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/preferences/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/modulesadmin/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/menus/index.php | Replace manual 404 status-line header with http_response_code(404) guard (keeps exit()). |
| htdocs/modules/system/admin/maintenance/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/maintenance/dump/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/mailusers/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/images/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/groups/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/comments/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/blocksadmin/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/banners/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/system/admin/avatars/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/preloads/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/preload/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/language/english/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/language/english/help/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/images/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/docs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/blocks/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/assets/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/assets/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/protector/assets/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/templates/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/sql/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/preloads/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/language/english/mail_template/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/language/english/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/language/english/help/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/include/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/docs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/class/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/assets/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/assets/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/assets/images/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/assets/images/actions/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/profile/assets/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/templates/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/sql/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/preloads/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/language/english/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/language/english/help/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/include/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/docs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/class/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/assets/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/assets/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/assets/images/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/pm/assets/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/debugbar/language/english/help/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/modules/debugbar/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/misc.php | Use http_response_code(404) for invalid action guard. |
| htdocs/media/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome7/webfonts/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome7/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome7/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome7/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome6/webfonts/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome6/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome6/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome6/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome/scss/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome/less/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome/fonts/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/font-awesome/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/fine-uploader/placeholders/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/media/fine-uploader/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/language/english/mail_template/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/language/english/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/kernel/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/sql/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/language/english/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/include/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/class/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/assets/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/assets/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/assets/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/assets/fonts/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/install/assets/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/include/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/include/cp_functions.php | Write http_response_code(404) into generated index.php guard files. |
| htdocs/images/subject/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/images/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/images/icons/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/images/form/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/images/banners/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/image.php | Use http_response_code(404) in helper that terminates on invalid requests. |
| htdocs/custom_blocks/index.php | Replace manual 404 status-line header with http_response_code(404) guard (keeps exit). |
| htdocs/class/xoopsform/renderer/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopsform/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/utils/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/simple/skins/o2k7/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/simple/skins/o2k7/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/simple/skins/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/simple/skins/default/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/simple/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/simple/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/simple/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/skins/o2k7/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/skins/o2k7/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/skins/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/skins/highcontrast/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/skins/default/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/skins/default/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/themes/advanced/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsquote/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsquote/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsquote/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsquote/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsmlcontent/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsmlcontent/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsmlcontent/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsmlcontent/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsmlcontent/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsemotions/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsemotions/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsemotions/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsemotions/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsemotions/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopscode/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopscode/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopscode/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopscode/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xhtmlxtras/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xhtmlxtras/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xhtmlxtras/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xhtmlxtras/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/wordcount/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/visualchars/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/visualblocks/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/visualblocks/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/template/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/template/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/template/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/template/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/table/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/table/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/table/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/table/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/tabfocus/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/style/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/style/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/style/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/style/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/spellchecker/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/spellchecker/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/spellchecker/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/searchreplace/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/searchreplace/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/searchreplace/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/searchreplace/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/save/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/print/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/preview/jscripts/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/preview/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/paste/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/paste/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/paste/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/pagebreak/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/noneditable/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/nonbreaking/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/media/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/media/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/media/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/media/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/lists/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/legacyoutput/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/layer/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/insertdatetime/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/inlinepopups/skins/clearlooks2/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/inlinepopups/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/iespell/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/fullscreen/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/fullpage/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/fullpage/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/fullpage/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/fullpage/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/example_dependency/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/example/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/example/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/example/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/example/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/emotions/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/emotions/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/emotions/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/emotions/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/directionality/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/contextmenu/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/bbcode/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/autosave/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/autoresize/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/autolink/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advlist/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advlink/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advlink/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advlink/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advlink/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advimage/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advimage/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advimage/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advimage/img/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advimage/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advhr/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advhr/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advhr/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/advhr/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/langs/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/jscripts/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/tinymce/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/tinymce/include/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/textarea/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/textarea/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/easymde/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/easymde/js/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/easymde/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/easymde/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/dhtmltextarea/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xoopseditor/dhtmltextarea/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xml/rss/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xml/rpc/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/xml/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/utility/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/youtube/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/wmp/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/wiki/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/ul/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/textfilter/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/syntaxhighlight/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/soundcloud/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/rtsp/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/mp3/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/mms/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/li/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/image/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/iframe/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/textsanitizer/censor/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/smarty3_plugins/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/model/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/mail/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/logger/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/file/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/database/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/captcha/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/captcha/image/scripts/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/captcha/image/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/captcha/image/fonts/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/captcha/image/backgrounds/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/cache/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/class/auth/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/cache/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/browse.php | Use http_response_code(404) on denied/invalid browse requests. |
| htdocs/Frameworks/textsanitizer/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/moduleadmin/language/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/moduleadmin/language/english/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/moduleadmin/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/moduleadmin/images/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/moduleadmin/doc/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/moduleadmin/css/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/icons/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/icons/bookmarks/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/icons/32/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/moduleclasses/icons/16/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/compat/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/compat/include/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| htdocs/Frameworks/art/index.php | Replace manual 404 status-line header with http_response_code(404) guard. |
| return false; | ||
| } | ||
| if (fwrite($file, "<?php\nheader('HTTP/1.0 404 Not Found');\n") == -1) { | ||
| if (fwrite($file, "<?php\nhttp_response_code(404);\n") == -1) { |
There was a problem hiding this comment.
fwrite() returns the number of bytes written, or false on failure (not -1). This condition will never be true, so the error path won't run even if the write fails. Store the result and check === false (and optionally treat 0 as failure if you require at least 1 byte).
Suggested change
| if (fwrite($file, "<?php\nhttp_response_code(404);\n") == -1) { | |
| $bytesWritten = fwrite($file, "<?php\nhttp_response_code(404);\n"); | |
| if ($bytesWritten === false) { |
Comment on lines
215
to
219
| function exit404BadReq() | ||
| { | ||
| header('HTTP/1.1 404 Not Found'); | ||
| http_response_code(404); | ||
| exit(); | ||
| } |
There was a problem hiding this comment.
The function name exit404BadReq() is internally inconsistent: it suggests a 'Bad Request' (typically 400) while the implementation sets a 404. Consider renaming it to match the behavior (e.g., exit404() / exitNotFound()), or (if the intent really is 'bad request') changing the status code to 400.
Fix two incorrect fwrite() failure checks in htdocs/include/cp_functions.php by testing for false instead of -1, which is the actual PHP failure return value. Also rename exit404BadReq() to exitNotFound() in htdocs/image.php so the helper name matches its 404 behavior, and update the related docblock and call sites.
Comment on lines
207
to
214
| $bytesWritten = fwrite($file, $content); | ||
| if ($bytesWritten === false) { | ||
| echo 'failed write file'; | ||
|
|
||
| fclose($file); | ||
|
|
||
| return false; | ||
| } |
There was a problem hiding this comment.
fwrite() can return a partial byte count (including 0) without returning false. As written, partial writes will be treated as success and can generate truncated PHP/menu files. Treat 0 as failure when $content is non-empty, and/or loop until the full buffer is written (or switch to file_put_contents(..., LOCK_EX) for atomic full writes).
| closedir($dirHandle); | ||
| } | ||
| file_put_contents($dir . 'index.php', '<?php' . PHP_EOL . "header('HTTP/1.0 404 Not Found');" . PHP_EOL); | ||
| file_put_contents($dir . 'index.php', '<?php' . PHP_EOL . "http_response_code(404);" . PHP_EOL); |
There was a problem hiding this comment.
This write doesn’t check for failure and doesn’t use LOCK_EX. If multiple maintenance runs overlap (or the filesystem is under pressure), you can end up with missing/partial guard files. Consider checking the return value and using file_put_contents(..., LOCK_EX) (or writing to a temp file and renaming) to make guard generation more reliable.
Suggested change
| file_put_contents($dir . 'index.php', '<?php' . PHP_EOL . "http_response_code(404);" . PHP_EOL); | |
| $guardFile = $dir . 'index.php'; | |
| $result = file_put_contents($guardFile, '<?php' . PHP_EOL . "http_response_code(404);" . PHP_EOL, LOCK_EX); | |
| if (false === $result) { | |
| trigger_error( | |
| \sprintf('Failed to write guard file: %s', basename($guardFile)), | |
| E_USER_WARNING | |
| ); | |
| } |
| @@ -1,2 +1,2 @@ | |||
| <?php | |||
| header('HTTP/1.0 404 Not Found'); | |||
| http_response_code(404); | |||
There was a problem hiding this comment.
Many of these direct-access guard index.php files set the status code but don’t explicitly terminate. Adding exit; after http_response_code(404); makes the intent unambiguous and prevents any accidental output/side-effects if content is ever appended or the file is included.
Suggested change
| http_response_code(404); | |
| http_response_code(404); | |
| exit; |
Comment on lines
215
to
219
| function exitNotFound() | ||
| { | ||
| header('HTTP/1.1 404 Not Found'); | ||
| http_response_code(404); | ||
| exit(); | ||
| } |
There was a problem hiding this comment.
The helper is used for rejecting malformed/forbidden image requests (previously exit404BadReq). Renaming it to exitNotFound() is less descriptive and can be misleading (it’s not only for missing resources). Consider a name that preserves the intent of 'generic 404 for invalid/bad requests' (e.g., exitInvalidRequestNotFound() / exitBadRequestNotFound()), matching the docblock rationale.
Handle guard-file generation more robustly by switching the admin-menu and maintenance writers to file_put_contents(..., LOCK_EX) and verifying full-byte writes, preventing partial or truncated output from being treated as success. Standardize direct-access guard index.php files on http_response_code(404); followed by exit;, and rename image.php's generic invalid-request helper from exitNotFound() to exitInvalidRequest404() so the function name matches its actual purpose.
| header('HTTP/1.1 404 Not Found'); | ||
| http_response_code(404); | ||
| exit; | ||
| exit(); |
There was a problem hiding this comment.
exit; and exit() are duplicated; the second call is unreachable and should be removed to avoid dead code and keep the guard minimal.
Suggested change
| exit(); |
Comment on lines
202
to
204
| $bytesWritten = file_put_contents($filename, $content, LOCK_EX); | ||
| if ($bytesWritten !== strlen($content)) { | ||
| echo 'failed write file'; |
There was a problem hiding this comment.
This error path now reports only “failed write file” even when the failure is an inability to create/open the file (previously a distinct “failed open file” branch existed). Consider checking ($bytesWritten === false) (or including both expected/actual values) and include basename($filename) in the message (ideally via trigger_error(..., E_USER_WARNING)) so failures are diagnosable without exposing full paths.
Note: Improve the htdocs guard-file write paths by distinguishing complete failure from short writes in htdocs/include/cp_functions.php and reporting the affected filename via trigger_error(..., E_USER_WARNING). Also remove the unreachable duplicate exit() from the two system menu guard index.php files, keeping the direct-access guards minimal and explicit with http_response_code(404); followed by a single exit;
Comment on lines
+202
to
+204
| $result = file_put_contents($guardFile, $content, LOCK_EX); | ||
| if ($result !== strlen($content)) { | ||
| trigger_error(sprintf('Failed to write guard file: %s', basename($guardFile)), E_USER_WARNING); |
There was a problem hiding this comment.
file_put_contents() returns false on failure and an int on success. Treating both partial writes and failures the same makes troubleshooting harder. Consider splitting this into if ($result === false) (failed write) and elseif ($result !== strlen($content)) (short write), and include the byte counts in the short-write warning to aid diagnosis.
Suggested change
| $result = file_put_contents($guardFile, $content, LOCK_EX); | |
| if ($result !== strlen($content)) { | |
| trigger_error(sprintf('Failed to write guard file: %s', basename($guardFile)), E_USER_WARNING); | |
| $expected = strlen($content); | |
| $result = file_put_contents($guardFile, $content, LOCK_EX); | |
| if ($result === false) { | |
| trigger_error(sprintf('Failed to write guard file: %s', basename($guardFile)), E_USER_WARNING); | |
| } elseif ($result !== $expected) { | |
| trigger_error(sprintf('Short write for guard file %s: wrote %d of %d bytes', basename($guardFile), $result, $expected), E_USER_WARNING); |
|
|
||
| $path = substr($path, -1) === '/' ? substr($path, 0, -1) : $path; | ||
| $filename = $path . '/index.php'; | ||
| $content = "<?php\nhttp_response_code(404);\nexit;\n"; |
There was a problem hiding this comment.
This uses hardcoded \\n line endings while other newly generated guard content in this PR uses PHP_EOL. Aligning on PHP_EOL would keep generated guard files consistent across the codebase and avoid mixed line endings in generated files.
Suggested change
| $content = "<?php\nhttp_response_code(404);\nexit;\n"; | |
| $content = '<?php' . PHP_EOL | |
| . 'http_response_code(404);' . PHP_EOL | |
| . 'exit;' . PHP_EOL; |
| * Many different issues end up here, so message is generic 404. This keeps us from leaking info by probing | ||
| */ | ||
| function exit404BadReq() | ||
| function exitInvalidRequest404() |
There was a problem hiding this comment.
The new name is clearer than exit404BadReq(), but it’s still slightly awkward/duplicative (both 'exit' and '404' encode response intent). Consider a name like exitInvalidRequest() (since the implementation already sets 404) or exitInvalidRequestNotFound() to keep the meaning clear without the numeric suffix.
Split maintenance guard-file diagnostics into distinct failure and short-write warnings, align xoops_write_index_file() on PHP_EOL-based guard content generation, and rename the image.php helper from exitInvalidRequest404() to exitInvalidRequest() so the name stays clear without duplicating the 404 response detail already handled in the implementation.
Comment on lines
+200
to
+216
| $guardFile = $dir . 'index.php'; | ||
| $content = '<?php' . PHP_EOL . "http_response_code(404);" . PHP_EOL . 'exit;' . PHP_EOL; | ||
| $expected = strlen($content); | ||
| $result = file_put_contents($guardFile, $content, LOCK_EX); | ||
| if ($result === false) { | ||
| trigger_error(sprintf('Failed to write guard file: %s', basename($guardFile)), E_USER_WARNING); | ||
| } elseif ($result !== $expected) { | ||
| trigger_error( | ||
| sprintf( | ||
| 'Short write for guard file %s: wrote %d of %d bytes', | ||
| basename($guardFile), | ||
| $result, | ||
| $expected | ||
| ), | ||
| E_USER_WARNING | ||
| ); | ||
| } |
There was a problem hiding this comment.
The warnings use basename($guardFile), which will almost always be just index.php, making the message too ambiguous to diagnose (you can’t tell which directory failed). Consider including a sanitized, non-sensitive identifier for the directory (e.g., the last 1–2 path segments, or a path relative to a known base) while still avoiding full server paths.
Comment on lines
202
to
221
| $expectedBytes = strlen($content); | ||
| $bytesWritten = file_put_contents($filename, $content, LOCK_EX); | ||
| if ($bytesWritten === false) { | ||
| trigger_error(sprintf('Failed to write file: %s', basename($filename)), E_USER_WARNING); | ||
|
|
||
| return false; | ||
| } | ||
| if (fwrite($file, $content) == -1) { | ||
| echo 'failed write file'; | ||
| if ($bytesWritten !== $expectedBytes) { | ||
| trigger_error( | ||
| sprintf( | ||
| 'Short write for %s: wrote %d of %d bytes', | ||
| basename($filename), | ||
| $bytesWritten, | ||
| $expectedBytes | ||
| ), | ||
| E_USER_WARNING | ||
| ); | ||
|
|
||
| return false; | ||
| } |
There was a problem hiding this comment.
On a “short write”, the function returns false but leaves a partially-written output file behind. That can be worse than failing (e.g., a truncated adminmenu.php could break admin rendering). A more reliable approach is to write to a temporary file and rename() it into place (atomic on most filesystems), and/or delete the partial file on short-write before returning.
Harden the generated-file write paths under htdocs by staging content in a temporary sibling file and only replacing the destination after a successful full write, preventing truncated adminmenu.php and index.php outputs from being left behind. Also improve maintenance guard-file warnings to include a short relative path label instead of a bare basename so write failures can be traced to the affected directory without exposing full filesystem paths.
Comment on lines
+200
to
+218
| $guardFile = $dir . 'index.php'; | ||
| $content = '<?php' . PHP_EOL . "http_response_code(404);" . PHP_EOL . 'exit;' . PHP_EOL; | ||
| $segments = array_values(array_filter(explode('/', str_replace('\\', '/', $guardFile)), 'strlen')); | ||
| $guardLabel = implode('/', array_slice($segments, -3)); | ||
| $expected = strlen($content); | ||
| $result = file_put_contents($guardFile, $content, LOCK_EX); | ||
| if ($result === false) { | ||
| trigger_error(sprintf('Failed to write guard file: %s', $guardLabel), E_USER_WARNING); | ||
| } elseif ($result !== $expected) { | ||
| trigger_error( | ||
| sprintf( | ||
| 'Short write for guard file %s: wrote %d of %d bytes', | ||
| $guardLabel, | ||
| $result, | ||
| $expected | ||
| ), | ||
| E_USER_WARNING | ||
| ); | ||
| } |
There was a problem hiding this comment.
"$guardLabel" is derived from the full filesystem path and may still leak server path segments when the directory depth is shallow (e.g., /var/www/index.php -> var/www/index.php) via trigger_error(). Use a non-sensitive label (e.g., basename($guardFile) or a helper similar to the newly added xoops_file_label()), or derive a path relative to a known application root before logging.
Comment on lines
+200
to
+205
| $guardFile = $dir . 'index.php'; | ||
| $content = '<?php' . PHP_EOL . "http_response_code(404);" . PHP_EOL . 'exit;' . PHP_EOL; | ||
| $segments = array_values(array_filter(explode('/', str_replace('\\', '/', $guardFile)), 'strlen')); | ||
| $guardLabel = implode('/', array_slice($segments, -3)); | ||
| $expected = strlen($content); | ||
| $result = file_put_contents($guardFile, $content, LOCK_EX); |
There was a problem hiding this comment.
This reimplements “short label” creation + write/short-write checking logic that is very similar to what was added in htdocs/include/cp_functions.php (xoops_write_file_atomically() + label helper). To reduce duplication and keep behavior consistent, consider reusing a shared helper (e.g., move the atomic-write helpers to a common include that maintenance.php can safely load), or factor the write+warning logic into a single utility used by both call sites.
Move the maintenance guard-file warning logic into small private helpers so path labels are derived safely relative to XOOPS_ROOT_PATH, with basename fallback when a root-relative label cannot be produced. This removes the duplicated inline label/write-warning code from clearDirectory() and keeps maintenance guard-file diagnostics consistent without leaking full filesystem path fragments.
Comment on lines
+112
to
+116
| $normalized = str_replace('\\', '/', $filename); | ||
| $segments = array_values(array_filter(explode('/', $normalized), 'strlen')); | ||
| $tail = array_slice($segments, -2); | ||
|
|
||
| return empty($tail) ? basename($filename) : implode('/', $tail); |
There was a problem hiding this comment.
xoops_file_label() includes up to two path segments in warning messages (e.g., cache/adminmenu.php). Project guidance calls for using basename() to avoid leaking filesystem structure in errors. Consider returning only basename($filename) (or using a root-stripping approach like getWarningPathLabel() in maintenance) so warnings never expose directory names.
Suggested change
| $normalized = str_replace('\\', '/', $filename); | |
| $segments = array_values(array_filter(explode('/', $normalized), 'strlen')); | |
| $tail = array_slice($segments, -2); | |
| return empty($tail) ? basename($filename) : implode('/', $tail); | |
| return basename($filename); |
Comment on lines
+160
to
+171
| if (file_exists($filename) && !@unlink($filename)) { | ||
| @unlink($tempFile); | ||
| trigger_error(sprintf('Failed to replace file: %s', $label), E_USER_WARNING); | ||
|
|
||
| return false; | ||
| } | ||
| if (!@rename($tempFile, $filename)) { | ||
| @unlink($tempFile); | ||
| trigger_error(sprintf('Failed to replace file: %s', $label), E_USER_WARNING); | ||
|
|
||
| return false; | ||
| } |
There was a problem hiding this comment.
The atomic write helper can still drop the existing target file: if the first rename() fails, the code may unlink($filename) and then a second rename() can still fail, leaving no old file and no new file. To preserve reliability, avoid deleting the original until the replacement is guaranteed (e.g., rename original to a backup and restore it if the final rename fails).
Suggested change
| if (file_exists($filename) && !@unlink($filename)) { | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to replace file: %s', $label), E_USER_WARNING); | |
| return false; | |
| } | |
| if (!@rename($tempFile, $filename)) { | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to replace file: %s', $label), E_USER_WARNING); | |
| return false; | |
| } | |
| if (!file_exists($filename)) { | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to replace file: %s', $label), E_USER_WARNING); | |
| return false; | |
| } | |
| $backupFile = $tempFile . '.bak'; | |
| if (!@rename($filename, $backupFile)) { | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to replace file: %s', $label), E_USER_WARNING); | |
| return false; | |
| } | |
| if (!@rename($tempFile, $filename)) { | |
| if (!@rename($backupFile, $filename)) { | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to replace file and restore original: %s', $label), E_USER_WARNING); | |
| return false; | |
| } | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to replace file: %s', $label), E_USER_WARNING); | |
| return false; | |
| } | |
| @unlink($backupFile); |
Update xoops_file_label() in htdocs/include/cp_functions.php to derive warning labels relative to XOOPS_ROOT_PATH when possible, with basename fallback for consistency with maintenance warnings. Also harden xoops_write_file_atomically() by replacing the unlink-and-retry branch with a backup-and-restore flow, so failed replacement on platforms like Windows cannot leave both the original and temporary files lost.
| if (!@rename($tempFile, $filename)) { | ||
| if (!@rename($backupFile, $filename)) { | ||
| @unlink($tempFile); | ||
| trigger_error(sprintf('Failed to replace file and restore original: %s', $label), E_USER_WARNING); |
There was a problem hiding this comment.
In the double-failure case (replacement rename fails, then restore rename fails), the original content is left as a .bak file and the target may be missing, but the warning doesn’t indicate where the backup is or that manual intervention may be required. Consider enhancing the error to include the backup filename (and/or explicitly state that a backup was left behind) so operators can recover the file.
Suggested change
| trigger_error(sprintf('Failed to replace file and restore original: %s', $label), E_USER_WARNING); | |
| trigger_error( | |
| sprintf( | |
| 'Failed to replace file and restore original: %s. Original content was left in backup file %s; manual restoration may be required.', | |
| $label, | |
| basename($backupFile) | |
| ), | |
| E_USER_WARNING | |
| ); |
Improve the double-failure warning in htdocs/include/cp_functions.php so operators are told when the original content was left in a backup file after replacement and restore both fail. The message now includes the backup filename via basename() and explicitly notes that manual restoration may be required, making the failure path easier to recover from without exposing full server paths.
|
|
||
| return false; | ||
| } | ||
| $targetPerms = file_exists($filename) ? (fileperms($filename) & 0777) : 0644; |
There was a problem hiding this comment.
fileperms($filename) can return false (e.g., if the file exists but permissions/ownership prevent stat). In that case, (false & 0777) becomes 0, and the subsequent chmod() can set the temp file to mode 0000, potentially making the replaced file unreadable. Capture the return value from fileperms() and fall back to a safe default (e.g., 0644) when it fails.
Suggested change
| $targetPerms = file_exists($filename) ? (fileperms($filename) & 0777) : 0644; | |
| $targetPerms = 0644; | |
| if (file_exists($filename)) { | |
| $currentPerms = fileperms($filename); | |
| if ($currentPerms !== false) { | |
| $targetPerms = $currentPerms & 0777; | |
| } | |
| } |
Harden xoops_write_file_atomically() in htdocs/include/cp_functions.php by falling back to 0644 when fileperms() cannot stat an existing target, instead of masking a false value into mode 0000. This keeps the permission-preservation logic from making replacement files unreadable while preserving the existing attempt to reuse the destination file's mode when available.
Comment on lines
+191
to
+197
| $normalized = str_replace('\\', '/', $filename); | ||
| $rootPrefix = rtrim(str_replace('\\', '/', XOOPS_ROOT_PATH), '/') . '/'; | ||
|
|
||
| if (strncmp($normalized, $rootPrefix, strlen($rootPrefix)) === 0) { | ||
| return substr($normalized, strlen($rootPrefix)); | ||
| } | ||
|
|
There was a problem hiding this comment.
This helper can leak internal directory structure by returning a root-relative path. To align with the project guidance of avoiding path disclosure in warnings, prefer returning only basename($filename) (or a minimally-redacted label) in all cases.
Suggested change
| $normalized = str_replace('\\', '/', $filename); | |
| $rootPrefix = rtrim(str_replace('\\', '/', XOOPS_ROOT_PATH), '/') . '/'; | |
| if (strncmp($normalized, $rootPrefix, strlen($rootPrefix)) === 0) { | |
| return substr($normalized, strlen($rootPrefix)); | |
| } |
Comment on lines
+112
to
+118
| $normalized = str_replace('\\', '/', $filename); | ||
| $rootPrefix = rtrim(str_replace('\\', '/', XOOPS_ROOT_PATH), '/') . '/'; | ||
|
|
||
| if (strncmp($normalized, $rootPrefix, strlen($rootPrefix)) === 0) { | ||
| return substr($normalized, strlen($rootPrefix)); | ||
| } | ||
|
|
There was a problem hiding this comment.
Similar to getWarningPathLabel(), returning a root-relative path can expose the application’s directory layout. Consider always returning basename($filename) (or a consistently redacted label) for warning messages to avoid leaking path information to logs or output.
Suggested change
| $normalized = str_replace('\\', '/', $filename); | |
| $rootPrefix = rtrim(str_replace('\\', '/', XOOPS_ROOT_PATH), '/') . '/'; | |
| if (strncmp($normalized, $rootPrefix, strlen($rootPrefix)) === 0) { | |
| return substr($normalized, strlen($rootPrefix)); | |
| } |
Comment on lines
+209
to
+228
| private function writeFileWithWarning($filename, $content) | ||
| { | ||
| $label = $this->getWarningPathLabel($filename); | ||
| $expected = strlen($content); | ||
| $result = file_put_contents($filename, $content, LOCK_EX); | ||
|
|
||
| if ($result === false) { | ||
| trigger_error(sprintf('Failed to write guard file: %s', $label), E_USER_WARNING); | ||
| } elseif ($result !== $expected) { | ||
| trigger_error( | ||
| sprintf( | ||
| 'Short write for guard file %s: wrote %d of %d bytes', | ||
| $label, | ||
| $result, | ||
| $expected | ||
| ), | ||
| E_USER_WARNING | ||
| ); | ||
| } | ||
| } |
There was a problem hiding this comment.
Writing guard files directly to the final path means a short write (or partial write on failure) can leave a truncated/invalid PHP file behind (potentially causing parse errors later). Consider using an atomic write strategy (write to a temp sibling file, then rename) similar to the new xoops_write_file_atomically() helper to ensure the guard file is either fully written or not replaced.
Add a shared XOOPS_WRITE_FILE_REPLACE_ERROR constant in htdocs/include/cp_functions.php and reuse it across the replacement-failure branches in xoops_write_file_atomically(). This removes the repeated 'Failed to replace file: %s' literal that SonarQube flagged while keeping the existing warning behavior unchanged.
Harden SystemMaintenance::writeFileWithWarning() in htdocs/modules/system/class/maintenance.php by switching from direct file_put_contents() on the final guard path to a temp-sibling write followed by rename. The helper now removes the temp file on write failures and short writes, applies a readable mode before promotion, and only replaces the final index.php when the guard content has been written successfully in full.
| <?php | ||
| header('HTTP/1.0 404 Not Found'); | ||
| http_response_code(404); | ||
| exit; |
There was a problem hiding this comment.
Guard index.php files are now inconsistent: some were changed to only call http_response_code(404); (no termination), while others (like this one) also exit;. Please standardize the guard pattern across the tree (either always terminate or never). Adding exit; changes behavior if a guard file is ever included from another script, so if the goal is a minimal behavior change from the historical header(...)-only guards, consider removing newly added exit; lines or adding exit; everywhere intentionally.
Suggested change
| exit; |
Comment on lines
+191
to
+195
| $normalized = str_replace('\\', '/', $filename); | ||
| $rootPrefix = rtrim(str_replace('\\', '/', XOOPS_ROOT_PATH), '/') . '/'; | ||
|
|
||
| if (strncmp($normalized, $rootPrefix, strlen($rootPrefix)) === 0) { | ||
| return substr($normalized, strlen($rootPrefix)); |
There was a problem hiding this comment.
This introduces a second, maintenance-module-specific implementation of (1) creating a non-sensitive file label and (2) atomic-ish file replacement, while htdocs/include/cp_functions.php now adds xoops_file_label() and xoops_write_file_atomically() for the same purpose. Consider consolidating to a single implementation (e.g., call xoops_write_file_atomically() here and rely on xoops_file_label() for messages) to reduce duplicated logic and future drift between the two paths.
Suggested change
| $normalized = str_replace('\\', '/', $filename); | |
| $rootPrefix = rtrim(str_replace('\\', '/', XOOPS_ROOT_PATH), '/') . '/'; | |
| if (strncmp($normalized, $rootPrefix, strlen($rootPrefix)) === 0) { | |
| return substr($normalized, strlen($rootPrefix)); | |
| if (function_exists('xoops_file_label')) { | |
| return xoops_file_label($filename); |
| * | ||
| * @return void | ||
| */ | ||
| private function writeFileWithWarning($filename, $content) |
There was a problem hiding this comment.
This introduces a second, maintenance-module-specific implementation of (1) creating a non-sensitive file label and (2) atomic-ish file replacement, while htdocs/include/cp_functions.php now adds xoops_file_label() and xoops_write_file_atomically() for the same purpose. Consider consolidating to a single implementation (e.g., call xoops_write_file_atomically() here and rely on xoops_file_label() for messages) to reduce duplicated logic and future drift between the two paths.
Comment on lines
+264
to
+266
| $guardFile = $dir . 'index.php'; | ||
| $content = '<?php' . PHP_EOL . "http_response_code(404);" . PHP_EOL . 'exit;' . PHP_EOL; | ||
| $this->writeFileWithWarning($guardFile, $content); |
There was a problem hiding this comment.
This introduces a second, maintenance-module-specific implementation of (1) creating a non-sensitive file label and (2) atomic-ish file replacement, while htdocs/include/cp_functions.php now adds xoops_file_label() and xoops_write_file_atomically() for the same purpose. Consider consolidating to a single implementation (e.g., call xoops_write_file_atomically() here and rely on xoops_file_label() for messages) to reduce duplicated logic and future drift between the two paths.
Note: Normalize all htdocs direct-access guard index.php files to the explicit http_response_code(404); plus exit; pattern, eliminating the mixed guard behavior across the tree. Also harden SystemMaintenance’s atomic guard-file writer to fall back safely when fileperms() cannot stat an existing target, matching the permission-preservation approach already used in htdocs/include/ cp_functions.php.
Comment on lines
+240
to
+248
| case 'registry': | ||
| // Define Stylesheet | ||
| $xoTheme->addStylesheet(XOOPS_URL . '/modules/system/css/admin.css'); | ||
| // Define Breadcrumb and tips | ||
| $xoBreadCrumb->addLink(_AM_SYSTEM_MODULES_INSTALL_REGISTRY); | ||
| $xoBreadCrumb->render(); | ||
|
|
||
| // Registry URL | ||
| $registryUrl = 'https://acp.xoops.org/registry/modules.json'; |
There was a problem hiding this comment.
This PR is described as a refactor to replace legacy 404 status-line headers with http_response_code(404) under /htdocs, but this hunk introduces a new registry admin action and remote fetch logic. Please split this into a separate PR (or update the PR title/description and justify the new behavior), so the 404-guard refactor remains focused and easier to review/revert.
Comment on lines
+261
to
+264
| $registry_mods = json_decode($content, true); | ||
| } | ||
| } catch (\Exception $e) { | ||
| // Silently fail or log error |
There was a problem hiding this comment.
If json_decode() fails, it returns null, which changes $registry_mods from [] to null and can break downstream template expectations. Consider validating the decode result (e.g., ensure it’s an array, otherwise fall back to []) and optionally handle json_last_error() to avoid silently passing malformed data.
Suggested change
| $registry_mods = json_decode($content, true); | |
| } | |
| } catch (\Exception $e) { | |
| // Silently fail or log error | |
| $decodedRegistryMods = json_decode($content, true); | |
| if (JSON_ERROR_NONE === json_last_error() && is_array($decodedRegistryMods)) { | |
| $registry_mods = $decodedRegistryMods; | |
| } else { | |
| trigger_error('Failed to decode registry data from ' . basename($registryUrl), E_USER_WARNING); | |
| } | |
| } | |
| } catch (\Throwable $e) { | |
| trigger_error('Failed to fetch registry data from ' . basename($registryUrl), E_USER_WARNING); |
Comment on lines
+251
to
+264
| try { | ||
| $options = [ | ||
| 'http' => [ | ||
| 'header' => "User-Agent: XOOPS\r\n", | ||
| 'timeout' => 5, | ||
| ], | ||
| ]; | ||
| $context = stream_context_create($options); | ||
| $content = @file_get_contents($registryUrl, false, $context); | ||
| if ($content !== false) { | ||
| $registry_mods = json_decode($content, true); | ||
| } | ||
| } catch (\Exception $e) { | ||
| // Silently fail or log error |
There was a problem hiding this comment.
The try/catch here is ineffective: file_get_contents() typically emits warnings and returns false rather than throwing exceptions, so the catch block is unlikely to run. Either remove the try/catch and rely on return-value checks, or use a strategy that can convert warnings to exceptions; also, XOOPS guidelines prefer catching \\Throwable when you do catch.
Suggested change
| try { | |
| $options = [ | |
| 'http' => [ | |
| 'header' => "User-Agent: XOOPS\r\n", | |
| 'timeout' => 5, | |
| ], | |
| ]; | |
| $context = stream_context_create($options); | |
| $content = @file_get_contents($registryUrl, false, $context); | |
| if ($content !== false) { | |
| $registry_mods = json_decode($content, true); | |
| } | |
| } catch (\Exception $e) { | |
| // Silently fail or log error | |
| $options = [ | |
| 'http' => [ | |
| 'header' => "User-Agent: XOOPS\r\n", | |
| 'timeout' => 5, | |
| ], | |
| ]; | |
| $context = stream_context_create($options); | |
| $content = @file_get_contents($registryUrl, false, $context); | |
| if ($content !== false) { | |
| $registry_mods = json_decode($content, true); |
| // Registry URL | ||
| $registryUrl = 'https://acp.xoops.org/registry/modules.json'; | ||
|
|
||
| $registry_mods = []; |
There was a problem hiding this comment.
New variable $registry_mods uses snake_case, which is inconsistent with typical PHP variable naming in XOOPS code (generally camelCase). Renaming to something like $registryMods would improve consistency and readability across the file.
| * @return string | ||
| */ | ||
| private function getWarningPathLabel($filename) | ||
| { |
There was a problem hiding this comment.
getWarningPathLabel() / writeFileWithWarning() duplicate very similar functionality added in htdocs/include/cp_functions.php (xoops_file_label() / xoops_write_file_atomically()). To reduce duplicated logic and future divergence, consider reusing the shared helper (or moving the common logic into a single shared utility) so guard-file writing behavior remains consistent.
Suggested change
| { | |
| { | |
| if (\function_exists('xoops_file_label')) { | |
| return xoops_file_label($filename); | |
| } |
Comment on lines
+180
to
+201
| $backupFile = $tempFile . '.bak'; | ||
| if (!@rename($filename, $backupFile)) { | ||
| @unlink($tempFile); | ||
| trigger_error(sprintf(XOOPS_WRITE_FILE_REPLACE_ERROR, $label), E_USER_WARNING); | ||
|
|
||
| return false; | ||
| } | ||
|
|
||
| if (!@rename($tempFile, $filename)) { | ||
| if (!@rename($backupFile, $filename)) { | ||
| @unlink($tempFile); | ||
| trigger_error( | ||
| sprintf( | ||
| 'Failed to replace file and restore original: %s. Original content was left in backup file %s; manual restoration may be required.', | ||
| $label, | ||
| basename($backupFile) | ||
| ), | ||
| E_USER_WARNING | ||
| ); | ||
|
|
||
| return false; | ||
| } |
There was a problem hiding this comment.
The backup file name is derived from the random temp file name ($tempFile . '.bak'), which makes manual recovery harder (and the warning only prints basename($backupFile), which may be ambiguous). Consider using a backup name derived from the target filename (e.g., ${filename}.bak with collision handling) so operators can more easily locate/restore the backup if a replace-and-restore sequence fails.
Note: Restore htdocs/modules/system/admin/modulesadmin/main.php, htdocs/modules/system/language/english/admin/modulesadmin.php, and htdocs/modules/system/templates/admin/system_modules.tpl to their PR-base state so the 404 guard refactor no longer carries the unrelated registry admin action, language constant, and template link changes. This keeps PR XOOPS#1688 scoped to the htdocs 404/status-guard work and removes the Copilot findings tied to the accidental modulesadmin additions.
Comment on lines
+245
to
+248
| @chmod($tempFile, $targetPerms); | ||
| if (!@rename($tempFile, $filename)) { | ||
| @unlink($tempFile); | ||
| trigger_error(sprintf('Failed to replace guard file: %s', $label), E_USER_WARNING); |
There was a problem hiding this comment.
rename($tempFile, $filename) is not a reliable 'replace' on all platforms (notably Windows), where renaming onto an existing target can fail. Since this helper is used to (re)write guard files, consider adopting the same fallback strategy used in xoops_write_file_atomically() (e.g., temporary backup/restore or unlinking the existing target first) so the operation is consistently atomic and doesn't silently fail to update an existing guard file.
Suggested change
| @chmod($tempFile, $targetPerms); | |
| if (!@rename($tempFile, $filename)) { | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to replace guard file: %s', $label), E_USER_WARNING); | |
| @chmod($tempFile, $targetPerms); | |
| $backupFile = null; | |
| if (file_exists($filename)) { | |
| $backupFile = tempnam(dirname($filename), 'mtb'); | |
| if ($backupFile === false) { | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to create backup file for %s', $label), E_USER_WARNING); | |
| return; | |
| } | |
| @unlink($backupFile); | |
| if (!@rename($filename, $backupFile)) { | |
| @unlink($tempFile); | |
| trigger_error(sprintf('Failed to back up guard file: %s', $label), E_USER_WARNING); | |
| return; | |
| } | |
| } | |
| if (!@rename($tempFile, $filename)) { | |
| @unlink($tempFile); | |
| if ($backupFile !== null && file_exists($backupFile) && !@rename($backupFile, $filename)) { | |
| trigger_error(sprintf('Failed to restore original guard file: %s', $label), E_USER_WARNING); | |
| } | |
| trigger_error(sprintf('Failed to replace guard file: %s', $label), E_USER_WARNING); | |
| } elseif ($backupFile !== null && file_exists($backupFile) && !@unlink($backupFile)) { | |
| trigger_error(sprintf('Failed to remove backup guard file: %s', $label), E_USER_WARNING); |
Comment on lines
+209
to
+213
| private function writeFileWithWarning($filename, $content) | ||
| { | ||
| $label = $this->getWarningPathLabel($filename); | ||
| $expected = strlen($content); | ||
| $tempFile = tempnam(dirname($filename), 'mtn'); |
There was a problem hiding this comment.
This PR introduces a second atomic-write implementation (writeFileWithWarning() / getWarningPathLabel()) that substantially overlaps with the new global helpers in htdocs/include/cp_functions.php (xoops_write_file_atomically() / xoops_file_label()). To avoid divergence (different edge-case handling, different error messages, different platform behavior), consider centralizing the atomic write + labeling in one shared utility (e.g., a kernel utility function/class) and reusing it from both locations.
Note: Harden SystemMaintenance::writeFileWithWarning() in htdocs/modules/system/class/maintenance.php for platforms where rename() cannot reliably replace an existing target in place. When a guard file already exists, the helper now creates a sibling backup name, moves the original guard there first, promotes the temp file into place, restores the backup on replacement failure, and removes the backup after a successful swap.
Comment on lines
+114
to
+120
| $rootPrefix = rtrim(str_replace('\\', '/', XOOPS_ROOT_PATH), '/') . '/'; | ||
|
|
||
| if (strncmp($normalized, $rootPrefix, strlen($rootPrefix)) === 0) { | ||
| return substr($normalized, strlen($rootPrefix)); | ||
| } | ||
|
|
||
| return basename($filename); |
There was a problem hiding this comment.
xoops_file_label() can return a root-relative path (including internal directory structure) which then gets included in trigger_error() messages. XOOPS coding guidelines call out using basename() in error messages to avoid exposing paths; consider always returning basename($filename) (or at least ensuring only the basename is used in emitted warnings) so warnings never include directory layout.
Suggested change
| $rootPrefix = rtrim(str_replace('\\', '/', XOOPS_ROOT_PATH), '/') . '/'; | |
| if (strncmp($normalized, $rootPrefix, strlen($rootPrefix)) === 0) { | |
| return substr($normalized, strlen($rootPrefix)); | |
| } | |
| return basename($filename); | |
| return basename($normalized); |
Comment on lines
+180
to
+186
| $backupFile = $tempFile . '.bak'; | ||
| if (!@rename($filename, $backupFile)) { | ||
| @unlink($tempFile); | ||
| trigger_error(sprintf(XOOPS_WRITE_FILE_REPLACE_ERROR, $label), E_USER_WARNING); | ||
|
|
||
| return false; | ||
| } |
There was a problem hiding this comment.
The backup name is derived from the temp file path ($tempFile . '.bak'). If a stale backup with the same name exists (e.g., from a previous interrupted run), rename($filename, $backupFile) will fail and the write will abort even though a safe unique backup filename could have been chosen. Using a fresh unique temp name for the backup (like tempnam($directory, ...) followed by unlink + rename, similar to the approach used in maintenance.php) avoids this failure mode and improves reliability on retries.
Note: Update xoops_write_file_atomically() in htdocs/include/cp_functions.php to create a fresh unique sibling backup name with tempnam() before moving an existing target aside. This avoids backup-name collisions from stale leftovers, makes replace-and-restore retries more reliable, and keeps the existing backup/restore replacement flow intact.
| */ | ||
|
|
||
| define('XOOPS_CPFUNC_LOADED', 1); | ||
| define('XOOPS_WRITE_FILE_REPLACE_ERROR', 'Failed to replace file: %s'); |
There was a problem hiding this comment.
XOOPS_WRITE_FILE_REPLACE_ERROR is used for multiple failure modes (including cases where the target file does not exist yet), but the text always says “replace”. Consider using a more accurate message (or separate messages) for “create/write” vs “replace” failures so warnings reflect what actually happened and are easier to diagnose.
Suggested change
| define('XOOPS_WRITE_FILE_REPLACE_ERROR', 'Failed to replace file: %s'); | |
| define('XOOPS_WRITE_FILE_REPLACE_ERROR', 'Failed to write file: %s'); |
Rename the shared warning template in htdocs/include/cp_functions.php from XOOPS_WRITE_FILE_REPLACE_ERROR to XOOPS_WRITE_FILE_WRITE_ERROR and update the generic failure branches in xoops_write_file_atomically() to use the neutral 'Failed to write file: %s' wording. This keeps diagnostics accurate for both create/write and replace paths and addresses the latest Copilot/Sonar wording concern without changing behavior.
|
Comment on lines
+209
to
+219
| private function writeFileWithWarning($filename, $content) | ||
| { | ||
| $label = $this->getWarningPathLabel($filename); | ||
| $expected = strlen($content); | ||
| $tempFile = tempnam(dirname($filename), 'mtn'); | ||
|
|
||
| if ($tempFile === false) { | ||
| trigger_error(sprintf('Failed to create temp file for %s', $label), E_USER_WARNING); | ||
|
|
||
| return; | ||
| } |
There was a problem hiding this comment.
The PR introduces a second, largely overlapping “atomic write + path label” implementation here, while htdocs/include/cp_functions.php adds xoops_file_label() and xoops_write_file_atomically() with similar responsibilities. To avoid divergence and future bugfixes needing to be applied twice, consider consolidating to a single shared implementation (e.g., have maintenance.php call xoops_write_file_atomically() and trigger warnings when it returns false, or move the shared logic into one helper and reuse it from both places).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace legacy manual 404 status-line headers under /htdocs with http_response_code(404), including simple index.php direct-access guards, request handlers that return 404, and the code paths that generate new guard files. This removes hardcoded HTTP/1.0 and HTTP/1.1 status lines, drops redundant "Status: 404 Not Found" headers, and lets PHP emit the correct response status for the active SAPI.