Boost: remove the ABSPATH from log messages in case logs are made public (#36174)

donnchawp · web-flow · commit f2ba4b071eba · 2024-03-05T10:41:16.000Z
* Remove local directories from log messages, for security reasons

* changelog

* Remove ABSPATH completely, so only web accessible paths show

* Replace ABSPATH with "[...]/" instead
diff --git a/projects/plugins/boost/app/modules/optimizations/page-cache/pre-wordpress/Logger.php b/projects/plugins/boost/app/modules/optimizations/page-cache/pre-wordpress/Logger.php
@@ -102,6 +102,9 @@ public function log( $message ) {
 		// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized, WordPress.Security.ValidatedSanitizedInput.MissingUnslash
 		$request_uri = htmlspecialchars( isset( $_SERVER['REQUEST_URI'] ) ? $_SERVER['REQUEST_URI'] : '<unknown request uri>', ENT_QUOTES, 'UTF-8' );
 
+		// don't log the ABSPATH constant. Logs may be copied to a public forum.
+		$message = str_replace( ABSPATH, '[...]/', $message );
+
 		// phpcs:ignore WordPress.WP.AlternativeFunctions.json_encode_json_encode
 		$line = json_encode(
 			array(
diff --git a/projects/plugins/boost/changelog/update-boost-log-abspath b/projects/plugins/boost/changelog/update-boost-log-abspath
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Boost: remove the ABSPATH from log messages in case the logs are made public
