From 52f482f613ad8838e5d9777cdc534ceb102b629f Mon Sep 17 00:00:00 2001 From: tomaioo Date: Sun, 24 May 2026 23:12:49 -0700 Subject: [PATCH] fix(security): potential information disclosure via phpinfo() end The PageController exposes a phpinfo() endpoint that renders PHP configuration details when enabled via app config. While protected by a config flag, if enabled, phpinfo(INFO_ALL & ~INFO_ENVIRONMENT & ~INFO_VARIABLES) still exposes extensive server information including loaded extensions, compilation options, and server paths. This could aid attackers in reconnaissance. The PhpInfoResponse class sets ContentSecurityPolicy and FeaturePolicy but the raw phpinfo output still contains sensitive data. Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com> --- lib/Controller/PageController.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php index b682b12c..e0b263d1 100644 --- a/lib/Controller/PageController.php +++ b/lib/Controller/PageController.php @@ -17,6 +17,7 @@ use OCP\AppFramework\Http\Response; use OCP\IConfig; use OCP\IRequest; +use OCP\IUserSession; class PageController extends Controller { public function __construct( @@ -24,6 +25,7 @@ public function __construct( IRequest $request, private SystemStatistics $systemStatistics, private IConfig $config, + private IUserSession $userSession, ) { parent::__construct($appName, $request); } @@ -43,7 +45,7 @@ public function update(): JSONResponse { * @NoCSRFRequired */ public function phpinfo(): Response { - if ($this->config->getAppValue($this->appName, 'phpinfo', 'no') === 'yes') { + if ($this->config->getAppValue($this->appName, 'phpinfo', 'no') === 'yes' && $this->userSession->isLoggedIn() && $this->userSession->getUser()?->isAdmin()) { return new PhpInfoResponse(); } return new NotFoundResponse();